[Sugar-devel] IMPORTANT: sugar-jhbuild: security update of xulrunner
Sascha Silbe
sascha-ml-ui-sugar-devel at silbe.org
Tue Mar 24 06:48:28 EDT 2009
Hello!
Short summary:
If you're using sugar-jhbuild on Debian, please run "cd sugar-jhbuild &&
rm -rf source/mozilla source/hulahop install && ./sugar-jhbuild build"
before using anything web-related the next time.
Otherwise (i.e. not running on Debian), please make sure
sugar-jhbuild/source/mozilla does not exist (if it does exist, execute
the commands given above as well).
Long explanation:
xulrunner has had a security update. Most of you will we be unaffected
as we're using the distro package if we can (you do install distro
security updates regularly, do you?). But for Debian sid+squeeze, we
need to use our own copy due to path mismatches.
Usually this wouldn't be a big deal, as sugar-jhbuild is meant to pull
the latest version of each package and build it, so taking care of
security updates automatically. Unfortunately, this does NOT work
properly for tarballs: if any previous tarball has been extracted, any
updated version will be left untouched! So to build the updated version,
you need to remove the entire "sugar-jhbuild/source/mozilla" directory.
As xulrunner uses the full version number inside directories (*), you
need to ensure no outdated version is still installed and hulahop gets
rebuilt from scratch. The easiest way to do that is to remove the
directories "sugar-jhbuild/source/hulahop" and "sugar-jhbuild/install".
Run a full build ("./sugar-jhbuild build") afterwards.
(*) Incidentally, Debian fixed this (so installing the updated package
should have been enough, no rebuild of hulahop needed). Unfortunately,
all other distros (including Ubuntu) use the same paths as upstream...
Seems like Mozilla products suck a lot regarding security updates
(see the note about Iceweasel in the etch release notes as well). :(
CU Sascha
--
http://sascha.silbe.org/
http://www.infra-silbe.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: Digital signature
Url : http://lists.sugarlabs.org/archive/sugar-devel/attachments/20090324/b72eedcf/attachment.pgp
More information about the Sugar-devel
mailing list