mozilla security patches and prebuilt package

Martin Schulze joey at infodrom.org
Mon Oct 3 19:02:57 UTC 2005 

Alexander Sack wrote:
> > Could you tell me which version in sid fix the problems you've fixed
> > in the security update?
> 
> Sure, 1.0.6-4 was a quick upload for MFSA-2005-59. 1.0.7-1 superseeded
> this by taking the full upstream release.

Noted.

> Suggestions on how to improve the generated changelog entries and long
> report format are welcome. For the next release I will adapt the
> changelog format as eric requested. Lets see if that is better.

Ok.  We should be able to associate patches and vulnerabilities
(i.e. CVE names).  The current format works for me at least.

> Since thunderbird and firefox come from the same stable release
> branch, mozilla devs take all patches from firefox and apply them to 
> thunderbird too.
> 
> How should we deal with this? Is it ok, to apply changes that go
> in for firefox to thunderbird too - even though the issues addressed
> do not affect thunderbird directly?

Hmm.  In general I'd say no.  However, looking at the problems we've
had with Mozilla and friends in the past, I could imagine that you'll
run into trouble with later patches when you don't apply all patches.

So, if possible, I'd like the patches that are not required, not to be
applied.  However, if that's needed for later fixes, we'd have to.

> All this is important, because mozilla documented that thunderbird is
> only affected by MFSA-2005-59. MFSA-2005-57 and MFSA-2005-58
> apparently don't affect thunderbird[1]. Anyway, please consider that 
> forking the code-base could become a real pain in the ass for future 
> security fixes, so keeping the patches would be sane IMO.

Yes, like I wrote above.

If you apply the patches not required, please document in the
changelog, they these vulnerabilities don't apply but patches were
applied in order to keep the codebase close to upstreams.

> Another question is whether we should document MFSA-2005-57 and
> MFSA-2005-58 (and the associated CANs) in the thunderbird Advisory.

Usually no.  However, if the associated patches are applied as well,
I'll write a note in the advisory.

Regards,

	Joey

-- 
Unix is user friendly ...  It's just picky about its friends.

More information about the pkg-mozilla-maintainers mailing list