New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
thunderbird, thunderbird-bin: 68.2.2 -> 68.3.0 [High security fixes] #74973
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me, but I have a question:
@@ -53,7 +53,7 @@ in stdenv.mkDerivation rec { | |||
# Remove buildconfig.html to prevent a dependency on clang etc. | |||
./no-buildconfig.patch | |||
] | |||
++ lib.optional (lib.versionOlder version "69") | |||
++ lib.optional (lib.versionOlder version "68.3.0") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this mean that 68.3.0 itself shall not have this patch applied?
If so, is it nonetheless best practice to leave that lib.optional clause in the derivation, now that the version is at that level?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed the patch.
72a5180
to
85e99ba
Compare
I'll suggest that this be superseded by #75328. |
#75328 makes much more extensive changes than #74973, which might therefore also be more difficult and time-consuming to review and might warrant more testing. So unless these changes are all needed to be able to bump the version without issues, I'd suggest to get in just the version bump first by reviewing and merging #74973 and then focus on the the remaining changes of #75328. That way, we'd get the open security issues out of the way sooner and we'll be able also easily backport the version bump to the stable 19.09 channel (already ongoing in #75126) to make it more secure, too, without introducing changes too overreaching for a "stable" branch. We could then (or already in parallel) review #75328 without haste and if some changes of #75328 turn out to be controversial, that won't delay getting out the security fixes. |
@das-g Fair enough, agreed :) |
This should be closed since #75328 was merged. |
Motivation for this change
https://www.thunderbird.net/en-US/thunderbird/68.3.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-38/
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nix-review --run "nix-review wip"
./result/bin/
)nix path-info -S
before and after)Tested both
thunderbird-bin
andthunderbird
.Notify maintainers
cc @Fuuzetsu, @nbp, @edolstra