Latest gecko-sdk in portage == 1.7.5 latest stable mozilla in portage == 1.7.7 If a version of mozilla is considered stable why is not the gecko-sdk made up from the same mozilla-version? And a for me more intresting question: If mozilla bumps due to security, is there no chance that those securityholes within mozilla forcing the bump also may be securityholes within gecko-sdk?
It obviously depends on the security issues... Pure gecko things like buffer overflows in rendering or image loading would certainly be affected. Javascript privilege escalations are a little less obvious... In all cases, better safe than sorry.
Moz team, please bump to 1.7.7
GeckoSDK doesn't actually contain the gecko rendering engine, it only includes the files needed to build applications that link to the engine. This includes a few programs for parsing idl files and librarys to allow XPCom linking. The 1.7.5 version in portage is already using 1.7.6 internally to fix compile problems with mozilla, but I didn't bump the version number as there wouldn't be a reason for someone to want to recompile all of mozilla for an updated version of the SDK. Unless the security issue is with LibXPCom, I don't think it's worth bumping the version number to force a recompile. If someone on the security or Mozilla team feels otherwise, I'd be happy to do it.
Then it's INVALID as a security bug. It may be reopened as a bump request assigned to maintainer, though.
