Mozilla codebase releases 1.8.1.2 and 1.8.0.10

Alexander Sack asac at debian.org
Sun Feb 25 15:56:11 CET 2007 

On Sun, Feb 25, 2007 at 09:39:46AM +0100, Mike Hommey wrote:
> Hi,
> 
> Mozilla has released security updates for its 1.8 and 1.8.0 branches,
> respectively 1.8.1.2 (for Firefox 2.0.0.2) and 1.8.0.10 (for Seamonkey
> 1.0.8, Thunderbird 1.5.0.10).
> 
> While on the 1.8 branch, the changes to nspr and nss might not be as
> substancial, the changes to the 1.8.0 branch consisted in taking new
> upstream versions:
> 
> Mozilla version      1.8.0.9      1.8.1.1     1.8.0.10 and 1.8.1.2
> NSPR version         4.6.1        4.6.4       4.6.5
> NSS version          3.10.2       3.11.4      3.11.5

For me 4.6.1 and 4.6.5 (nspr) look like from the same branch, while 3.10.2
and 3.11.5 (nss) look different.

> 
> The changes between minor versions might mostly be security updates,
> though I've not have time and probably won't have much to dig into the
> code and/or upstream CVS.
> 
> So while we're mostly safe with the iceweasel upgrade, we may be going
> to introduce new versions of NSPR and NSS if we blindly upgrade to the
> latest 1.8.0 branch releases.
> 
> While it may not be a huge problem with iceape and icedove, since they
> are using their own copies of the libraries, it may be more of a problem
> for xulrunner which provides libnss and libnspr for other packages to
> build.
> 
> I *won't* have time to cherry pick security fixes to make a proper
> upload involving less risk for the release, so I'm requesting for help:
> - either be allowed to upload these new versions to the archive
> - or someone (could be several someones) motivated enough and with a lot
>   of spare time could cherry pick the security fixes for nspr and nss
>   for incorporation in the 1.8.0 branch.


I can't remember anything special about nspr, but the reason why mozilla
had to switch to another NSS branch is because they burned themselves
by cherry-picking security fixes from the official maintained nss
branch. So lets not make the same fault here.

> 
> I'll let the RMs decide whether iceape and icedove upgrades are less
> problematic since they don't involve reverse dependencies.
> 
> The iceweasel upgrade may only involve security fixes and minor
> enhancements, but I've not looked into the changes yet, but I hope Eric
> will ;).
> 
> The only thing I can tell to reassure you is that NSPR and NSS have
> strong ABI stability requirements, since they are used by closed-source
> products such as SunOne, so we're probably safe here. OTOH, NSS added
> some new stuff (such as libfreebl) that may need some care to not mess
> with, especially on xulrunner, but I've had to deal with it with
> iceweasel so that's not a big surprise.

... I remember discussion about the NSS migration; it was assured that
NSS has hard ABI compatibility requirements. So do we really have
problems with NSS in xulrunner or not?

 - Alexander
-- 
 GPG messages preferred.    |  .''`.  ** Debian GNU/Linux **
 Alexander Sack             | : :' :      The  universal
 asac at debian.org            | `. `'      Operating System
 http://www.asoftsite.org/  |   `-    http://www.debian.org/

More information about the pkg-mozilla-maintainers mailing list