[Sugar-devel] IMPORTANT: sugar-jhbuild: security update of xulrunner

[Morgan Collett]

2009/3/24 Sascha Silbe <sascha-ml-ui-sugar-devel at silbe.org>:
> Hello!
>
> Short summary:
> If you're using sugar-jhbuild on Debian, please run "cd sugar-jhbuild && rm
> -rf source/mozilla source/hulahop install && ./sugar-jhbuild build" before
> using anything web-related the next time.
> Otherwise (i.e. not running on Debian), please make sure
> sugar-jhbuild/source/mozilla does not exist (if it does exist, execute the
> commands given above as well).
>
>
> Long explanation:
> xulrunner has had a security update. Most of you will we be unaffected as
> we're using the distro package if we can (you do install distro security
> updates regularly, do you?). But for Debian sid+squeeze, we need to use our
> own copy due to path mismatches.
> Usually this wouldn't be a big deal, as sugar-jhbuild is meant to pull the
> latest version of each package and build it, so taking care of security
> updates automatically. Unfortunately, this does NOT work properly for
> tarballs: if any previous tarball has been extracted, any updated version
> will be left untouched! So to build the updated version, you need to remove
> the entire "sugar-jhbuild/source/mozilla" directory.
> As xulrunner uses the full version number inside directories (*), you need
> to ensure no outdated version is still installed and hulahop gets rebuilt
> from scratch. The easiest way to do that is to remove the directories
> "sugar-jhbuild/source/hulahop" and "sugar-jhbuild/install". Run a full build
> ("./sugar-jhbuild build") afterwards.
>
>
> (*) Incidentally, Debian fixed this (so installing the updated package
> should have been enough, no rebuild of hulahop needed). Unfortunately, all
> other distros (including Ubuntu) use the same paths as upstream...
>    Seems like Mozilla products suck a lot regarding security updates (see
> the note about Iceweasel in the etch release notes as well). :(

Yes, this means that Ubuntu needs the hulahop package to be rebuilt
and pushed out as an update every time there is a Firefox/xulrunner
security update. Since hulahop is in universe ("community maintained")
the update procedure doesn't have a very high priority, and requires
multiple people to enable the -proposed repos and test before it is
pushed out to -updates - for each supported distro release.

I must go through the process for intrepid and hardy again, because
there was yet another rev to xulrunner - I think the previous hardy
update to hulahop was never even pushed out because nobody other than
me tested it and we need at least two ACKs.

This is a dilemma - nobody uses the hardy packages because "they're
always broken" - but we can't fix them unless somebody uses them, even
if only to test... Anybody interested in helping, please join the
Ubuntu Sugar Team mailing list mentioned on
https://wiki.ubuntu.com/SugarTeam.

Regards
Morgan