Navigation Menu

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

firefox: 68.0.2 -> 69.0 #67924

Merged
merged 6 commits into from Sep 7, 2019
Merged

firefox: 68.0.2 -> 69.0 #67924

merged 6 commits into from Sep 7, 2019

Conversation

andir
Copy link
Member

@andir andir commented Sep 2, 2019
edited

Motivation for this change

Firefox 69 is scheduled to be released tomorrow. To be able to build that we will have to bump NSS on master and add yet a bit more of logic to the build expression.

Changelog: https://www.mozilla.org/en-US/firefox/69.0/releasenotes/
Security Fixes: https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
Notify maintainers

cc @

@andir andir changed the title firefox 69 preperations WIP: firefox 69 preperations Sep 2, 2019
@ofborg ofborg bot requested a review from edolstra September 2, 2019 14:28
@mweinelt
Copy link
Member

mweinelt commented Sep 2, 2019

I did a build and it's been running well for the last half hour of active browsing 👍

Thanks!

@andir andir changed the title WIP: firefox 69 preperations firefox: 68.0.2 -> 69 Sep 3, 2019
@andir andir mentioned this pull request Sep 3, 2019
Merged
10 tasks
vcunat added a commit that referenced this pull request Sep 3, 2019
@vcunat
Merge nss update from #67924 into staging
62d3656 
Let's try to do some rebuilds in advance of Firefox release.
@andir andir changed the title firefox: 68.0.2 -> 69 firefox: 68.0.2 -> 69.0 Sep 3, 2019
@andir
Copy link
Member Author

andir commented Sep 3, 2019

Thanks @vcunat I was just about to do that as well :-)

@vcunat
Copy link
Member

vcunat commented Sep 3, 2019
edited

I forgot to push it yesterday, but hopefully this staging-next iteration won't take too long. We'll see about regressions from other changes.

@tokudan
Copy link
Contributor

tokudan commented Sep 3, 2019

The Security Advisory for this update can be found here:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/
For Linux it's not "Critical", but "High" should still be patched soon.
CVE-2019-11746 could be a code execution, according to the description.

@andir
Copy link
Member Author

andir commented Sep 3, 2019

@vcunat From my point of view this is good to go in. The staging-next build seems to be rather extensive. Do we want to wait for that to finish?

I did a rebuild of the nixos release set and it looks fine.

@vcunat
Copy link
Member

vcunat commented Sep 3, 2019
edited

🤔 Borg claims about 23k rebuilds for this PR, and there's 55k remaining for staging-next on Hydra (including the NSS bump). The other CVEs fixed in current master..staging-next seem less important at a quick look, though. It's not clear to me which way to go.

@andir
Copy link
Member Author

andir commented Sep 3, 2019

Yeah, that number is surprisingly high. The 19.03 PR only had: 7k https://gist.github.com/GrahamcOfBorg/d6630ad59e271a709ed6f4d21832b4fd

Looking back at the previous PR to master it was in the same ballpark: https://gist.github.com/GrahamcOfBorg/3248abcdc9f3f98ac51b03a7ab13409a

@andir
firefox/wrapper: Set new style override for legacy profiles & allow d…
87e2618 
…owngrades

While Firefox 68 started messing with our profiles and required new
profiles on binary location changes Firefox 69 now verifies that we
aren't downgrading to an older Firefox even of the same version. If you
switch between two channel versions and/or between nixpkgs releases
Firefox will refuse to start and demand a fresh profile. Disabling the
downgrade protection works around that issue.
@andir andir mentioned this pull request Sep 4, 2019
Merged
10 tasks
vcunat added a commit that referenced this pull request Sep 7, 2019
@vcunat
Merge #67924: firefox: 68.0.2 -> 69.0
41ce0c2
@vcunat vcunat merged commit 6dce809 into NixOS:master Sep 7, 2019
@vcunat
Copy link
Member

vcunat commented Sep 7, 2019

The mass rebuilds were in master for several hours now.

@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/why-does-the-following-setup-reset-firefox/4129/3

@flokli flokli mentioned this pull request Feb 3, 2020
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@edolstra edolstra Awaiting requested review from edolstra

Assignees
No one assigned
Labels
1.severity: security 10.rebuild-darwin: 501+ 10.rebuild-darwin: 1001-2500 10.rebuild-linux: 501+ 10.rebuild-linux: 5001+ 11.by: package-maintainer
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@andir @mweinelt @vcunat @tokudan @nixos-discourse