311167 – net-libs/xulrunner-1.9.2.2 does not respect LDFLAGS plus installs a redundant dev-libs/nss copy

Bug 311167 - net-libs/xulrunner-1.9.2.2 does not respect LDFLAGS plus installs a redundant dev-libs/nss copy

Summary: net-libs/xulrunner-1.9.2.2 does not respect LDFLAGS plus installs a redundant...

Status:	VERIFIED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Library (show other bugs)
Hardware:	All Linux

Importance:	High QA (vote)
Assignee:	Mozilla Gentoo Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	ldflags
	Show dependency tree

Reported:	2010-03-24 19:13 UTC by Doktor Notor
Modified:	2010-08-09 21:00 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Doktor Notor 2010-03-24 19:13:37 UTC

* QA Notice: Files built without respecting LDFLAGS have been detected
 *  Please include the following list of files in your report:
 * /usr/lib/xulrunner-1.9.2/libssl3.so
 * /usr/lib/xulrunner-1.9.2/libsoftokn3.so
 * /usr/lib/xulrunner-1.9.2/libnss3.so
 * /usr/lib/xulrunner-1.9.2/libnssckbi.so
 * /usr/lib/xulrunner-1.9.2/libnssdbm3.so
 * /usr/lib/xulrunner-1.9.2/libfreebl3.so
 * /usr/lib/xulrunner-1.9.2/libnssutil3.so
 * /usr/lib/xulrunner-1.9.2/libsmime3.so

Comment 1 Doktor Notor 2010-03-24 19:35:04 UTC

And on another note, why does this thing bundle entire dev-libs/nss at all?

Comment 2 Rafał Mużyło 2010-03-24 19:48:43 UTC

That's just the thing - it should not.

The problem here is that one of the checks is for nss 3.12.6,
while the latest in portage is 3.12.5.

What's more, for the moment I can't find a tarball of 3.12.6 in any of the obvious places, though it seems it was properly announced about a week ago.

Comment 3 Doktor Notor 2010-03-24 20:04:58 UTC

(In reply to comment #2)
> What's more, for the moment I can't find a tarball of 3.12.6 in any of the
> obvious places, though it seems it was properly announced about a week ago.

That's be more than two weeks ago.  

http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/67563d451d4a52f6

If it's nowhere to be find and is really requires, can we poke upstream about this bogus announcement instead of installing redundant stuff that will become vulnerable sooner or later? :)

Comment 4 Rafał Mużyło 2010-03-24 20:18:33 UTC

I don't think it's a bogus announcement,
it more like a bogus release policy:
as its primary target is mozilla/firefox, not other
downstream targets and those two (three, if you add thunderbird)
carry around the whole tree, separate tarballs don't get proper care.

Comment 5 Doktor Notor 2010-03-24 20:30:41 UTC

http://ftp.sh.cvut.cz/MIRRORS/fedora/linux/development/source/SRPMS/nss-3.12.6-2.fc14.src.rpm

If everything fails :)

Comment 6 Rafał Mużyło 2010-03-24 21:37:07 UTC

Tarball in redhat rpm is too stripped down,
one from mandrake did build fine.

Comment 7 Nirbheek Chauhan (RETIRED) gentoo-dev

2010-03-24 22:34:00 UTC

This is fixed with 1.9.2.2-r1 by a gentoo bump to 3.12.6 for nss with sources extracted from firefox-3.6.2.source.tar.bz2.

Comment 8 Doktor Notor 2010-03-25 01:07:49 UTC

(In reply to comment #7)
> This is fixed with 1.9.2.2-r1 by a gentoo bump to 3.12.6 for nss with sources
> extracted from firefox-3.6.2.source.tar.bz2.
> 

Meh... BTW - https://bugzilla.mozilla.org/show_bug.cgi?id=550231: 21 days without any reply and counting. Upstream-- and brown paperbag for them.