[Sugar-devel] IMPORTANT: sugar-jhbuild: security update of xulrunner

Morgan Collett morgan.collett at gmail.com
Tue Mar 24 07:52:20 EDT 2009

2009/3/24 Sascha Silbe <sascha-ml-ui-sugar-devel at silbe.org>:
> Hello!
> Short summary:
> If you're using sugar-jhbuild on Debian, please run "cd sugar-jhbuild && rm
> -rf source/mozilla source/hulahop install && ./sugar-jhbuild build" before
> using anything web-related the next time.
> Otherwise (i.e. not running on Debian), please make sure
> sugar-jhbuild/source/mozilla does not exist (if it does exist, execute the
> commands given above as well).
> Long explanation:
> xulrunner has had a security update. Most of you will we be unaffected as
> we're using the distro package if we can (you do install distro security
> updates regularly, do you?). But for Debian sid+squeeze, we need to use our
> own copy due to path mismatches.
> Usually this wouldn't be a big deal, as sugar-jhbuild is meant to pull the
> latest version of each package and build it, so taking care of security
> updates automatically. Unfortunately, this does NOT work properly for
> tarballs: if any previous tarball has been extracted, any updated version
> will be left untouched! So to build the updated version, you need to remove
> the entire "sugar-jhbuild/source/mozilla" directory.
> As xulrunner uses the full version number inside directories (*), you need
> to ensure no outdated version is still installed and hulahop gets rebuilt
> from scratch. The easiest way to do that is to remove the directories
> "sugar-jhbuild/source/hulahop" and "sugar-jhbuild/install". Run a full build
> ("./sugar-jhbuild build") afterwards.
> (*) Incidentally, Debian fixed this (so installing the updated package
> should have been enough, no rebuild of hulahop needed). Unfortunately, all
> other distros (including Ubuntu) use the same paths as upstream...
>    Seems like Mozilla products suck a lot regarding security updates (see
> the note about Iceweasel in the etch release notes as well). :(

Yes, this means that Ubuntu needs the hulahop package to be rebuilt
and pushed out as an update every time there is a Firefox/xulrunner
security update. Since hulahop is in universe ("community maintained")
the update procedure doesn't have a very high priority, and requires
multiple people to enable the -proposed repos and test before it is
pushed out to -updates - for each supported distro release.

I must go through the process for intrepid and hardy again, because
there was yet another rev to xulrunner - I think the previous hardy
update to hulahop was never even pushed out because nobody other than
me tested it and we need at least two ACKs.

This is a dilemma - nobody uses the hardy packages because "they're
always broken" - but we can't fix them unless somebody uses them, even
if only to test... Anybody interested in helping, please join the
Ubuntu Sugar Team mailing list mentioned on


More information about the Sugar-devel mailing list