[Sugar-devel] IMPORTANT: sugar-jhbuild: security update of xulrunner

[David Farning]

On Tue, Mar 24, 2009 at 6:52 AM, Morgan Collett
<morgan.collett at gmail.com> wrote:
> 2009/3/24 Sascha Silbe <sascha-ml-ui-sugar-devel at silbe.org>:
>> Hello!
>>
>> Short summary:
>> If you're using sugar-jhbuild on Debian, please run "cd sugar-jhbuild && rm
>> -rf source/mozilla source/hulahop install && ./sugar-jhbuild build" before
>> using anything web-related the next time.
>> Otherwise (i.e. not running on Debian), please make sure
>> sugar-jhbuild/source/mozilla does not exist (if it does exist, execute the
>> commands given above as well).
>>
>>
>> Long explanation:
>> xulrunner has had a security update. Most of you will we be unaffected as
>> we're using the distro package if we can (you do install distro security
>> updates regularly, do you?). But for Debian sid+squeeze, we need to use our
>> own copy due to path mismatches.
>> Usually this wouldn't be a big deal, as sugar-jhbuild is meant to pull the
>> latest version of each package and build it, so taking care of security
>> updates automatically. Unfortunately, this does NOT work properly for
>> tarballs: if any previous tarball has been extracted, any updated version
>> will be left untouched! So to build the updated version, you need to remove
>> the entire "sugar-jhbuild/source/mozilla" directory.
>> As xulrunner uses the full version number inside directories (*), you need
>> to ensure no outdated version is still installed and hulahop gets rebuilt
>> from scratch. The easiest way to do that is to remove the directories
>> "sugar-jhbuild/source/hulahop" and "sugar-jhbuild/install". Run a full build
>> ("./sugar-jhbuild build") afterwards.
>>
>>
>> (*) Incidentally, Debian fixed this (so installing the updated package
>> should have been enough, no rebuild of hulahop needed). Unfortunately, all
>> other distros (including Ubuntu) use the same paths as upstream...
>>    Seems like Mozilla products suck a lot regarding security updates (see
>> the note about Iceweasel in the etch release notes as well). :(
>
> Yes, this means that Ubuntu needs the hulahop package to be rebuilt
> and pushed out as an update every time there is a Firefox/xulrunner
> security update. Since hulahop is in universe ("community maintained")
> the update procedure doesn't have a very high priority, and requires
> multiple people to enable the -proposed repos and test before it is
> pushed out to -updates - for each supported distro release.
>
> I must go through the process for intrepid and hardy again, because
> there was yet another rev to xulrunner - I think the previous hardy
> update to hulahop was never even pushed out because nobody other than
> me tested it and we need at least two ACKs.
>
> This is a dilemma - nobody uses the hardy packages because "they're
> always broken" - but we can't fix them unless somebody uses them, even
> if only to test... Anybody interested in helping, please join the
> Ubuntu Sugar Team mailing list mentioned on
> https://wiki.ubuntu.com/SugarTeam.
>
> Regards
> Morgan


I have been trying to dog food Sugar on Jaunty.

Sadly, I have not been able to successfully install Sugar.

I will keep trying. As long as I have a command line and a browser I
should be able to function normally.

david