Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

firefox: 55.0.3 -> 56.0.1, firefox-esr: 52.3.0esr -> 52.4.0esr [Critical security fixes] #30143

Merged
merged 7 commits into from Oct 7, 2017
Merged

firefox: 55.0.3 -> 56.0.1, firefox-esr: 52.3.0esr -> 52.4.0esr [Critical security fixes] #30143

merged 7 commits into from Oct 7, 2017

Conversation

taku0
Copy link
Contributor

@taku0 taku0 commented Oct 5, 2017
edited

Motivation for this change
  • Critical security fixes
  • Firefox Screenshots
  • Address form autofill (en-US only)
  • Updated Preferences
  • Media opened in a background tab will not play until the tab is selected
  • Improved Send Tabs feature of Sync
  • Other improvements

https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/
https://www.mozilla.org/en-US/firefox/56.0/releasenotes/

Firefox now uses more Rust code. It generates bindings with Clang, but it fails if cstddef or other headers are in non-standard directories. So I added -cxx-isystem and -isystem to ServoBindings.toml.

pkg-config script for NSS was provided as a patch, but NSS now have an official one. It still requires some postInstall script.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • Linux
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

@taku0 taku0 changed the title firefox: 55.0.3 -> 56.0, firefox-esr: 52.3.0esr -> 52.4.0esr firefox: 55.0.3 -> 56.0, firefox-esr: 52.3.0esr -> 52.4.0esr [Critical security fixes] Oct 6, 2017
@taku0 taku0 changed the title firefox: 55.0.3 -> 56.0, firefox-esr: 52.3.0esr -> 52.4.0esr [Critical security fixes] firefox: 55.0.3 -> 56.0.1, firefox-esr: 52.3.0esr -> 52.4.0esr [Critical security fixes] Oct 6, 2017
@edolstra
Copy link
Member

edolstra commented Oct 6, 2017

Is the icu upgrade necessary for Firefox? Because we may not want to cherry-pick that on the stable branch.

@taku0
Copy link
Contributor Author

taku0 commented Oct 6, 2017

Yes, Firefox requires icu-i18n 59.1.

DEBUG: configure:17780: checking for icu-i18n >= 59.1
DEBUG: configure: error: Library requirements (icu-i18n >= 59.1) not met; consider adjusting the PKG_CONFIG_PATH environment variable if your libraries are in a nonstandard prefix so pkg-config can find them.

@taku0
Copy link
Contributor Author

taku0 commented Oct 6, 2017
edited

Made 58.2 coexists with 59.1. Please tweak all-packages.nix when cherry-picking on the stable branch. i.e. from icu = icu59; to icu = icu58;

@vcunat vcunat merged commit 821e3c2 into NixOS:master Oct 7, 2017
vcunat added a commit that referenced this pull request Oct 7, 2017
@vcunat
Merge #30143: firefox-*: critical security updates
84952fc
@vcunat
Copy link
Member

vcunat commented Oct 7, 2017

I tried running both firefox versions only for a while, and I could see nothing wrong. I kept icu version to 58 by default for now, saving ~1400 rebuilds on x86_64-linux: a7159d3.

@grahamc
Copy link
Member

grahamc commented Oct 7, 2017

@vcunat can you backport to 17.09 as well?

@vcunat
Copy link
Member

vcunat commented Oct 7, 2017

Yes, I'm just building atop 17.09. Also 17.03 is still supported for security, I guess?

@grahamc
Copy link
Member

grahamc commented Oct 7, 2017

17.03 is receiving some patches, yeah, so I reckon it can't hurt -- but perhaps harder to backport.

@vcunat
Copy link
Member

vcunat commented Oct 7, 2017

I'll see how hard 17.03 is. 17.09 still tends to be easy, as it's forked only several weeks ago.

vcunat added a commit that referenced this pull request Oct 7, 2017
@vcunat
Merge #30143: firefox-*: critical security updates
b2f3785 
(cherry picked from commit 84952fc)
vcunat added a commit that referenced this pull request Oct 7, 2017
@vcunat
Merge #30143: firefox-*: critical security updates
b27d55b 
(cherry picked from commit 84952fc)
vcunat added a commit that referenced this pull request Oct 7, 2017
@vcunat
firefox: revert the upgrade for now
373119b 
It needs rustc-1.17, and I don't see how to port it ATM.  /cc #30143
@vcunat
Copy link
Member

vcunat commented Oct 7, 2017
edited

Hmm, hard I guess. It 56.x needs rustc-1.17 and I didn't manage to port that one straightaway, so I picked all but 55.x -> 56.x. I have no longer enough motivation to continue on that for 17.03, so feel free to pick it up!

@vcunat
Copy link
Member

vcunat commented Oct 8, 2017

This broke thunderbird build (it's the latest release). It now fails with:

In file included from /tmp/nix-build-thunderbird-52.4.0.drv-0/objdir/dist/include/ScopedNSSTypes.h:16:0,
                 from /tmp/nix-build-thunderbird-52.4.0.drv-0/thunderbird-52.4.0/mozilla/netwerk/base/BackgroundFileSaver.h:15,
                 from /tmp/nix-build-thunderbird-52.4.0.drv-0/thunderbird-52.4.0/mozilla/netwerk/base/BackgroundFileSaver.cpp:7,
                 from /tmp/nix-build-thunderbird-52.4.0.drv-0/objdir/netwerk/base/Unified_cpp_netwerk_base0.cpp:11:
/tmp/nix-build-thunderbird-52.4.0.drv-0/objdir/dist/system_wrappers/cert.h:3:23: fatal error: cert.h: No such file or directory
 #include_next <cert.h>
                       ^
compilation terminated.

@orivej
Copy link
Contributor

orivej commented Oct 8, 2017

The update to nss also broke the compilation of xmlsec (a dependency of libreoffice).

@7c6f434c
Copy link
Member

7c6f434c commented Oct 8, 2017
edited

Hm, true. d66a340 (re: xmlsec)

@7c6f434c
Copy link
Member

7c6f434c commented Oct 9, 2017

Hm, sssd seems to be broken by nss update and simple include path shuffling is not enough…

@vcunat
Copy link
Member

vcunat commented Oct 10, 2017

nss update also broke chromium #30275.

@7c6f434c
Copy link
Member

@vcunat hopefully, 034c168 fixes everything.

@vcunat
Copy link
Member

vcunat commented Oct 11, 2017

I picked it to 17.09 and 17.03 after some testing in there. /cc @globin.

vcunat added a commit that referenced this pull request Oct 14, 2017
@vcunat
firefox: fixup build on i686-linux after 56.x update
cdf6ee3 
Broken since #30143.
I can't say I understand why this combination is apparently unsupported.
i686-linux is a second-tier platform now, but firefox is still kept a
channel blocker...

(cherry picked from commit e067d26)
@vcunat
Copy link
Member

vcunat commented Oct 14, 2017

On i686-linux we're getting

--with-libclang-path is not available in this configuration

so I omitted those options on i686: e067d26

vcunat added a commit that referenced this pull request Oct 14, 2017
@vcunat
firefox: fixup build on i686-linux after 56.x update
e067d26 
Broken since #30143.
I can't say I understand why this combination is apparently unsupported.
i686-linux is a second-tier platform now, but firefox is still kept a
channel blocker...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vcunat vcunat vcunat approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@taku0 @edolstra @vcunat @grahamc @orivej @7c6f434c