| Summary: | dev-lang/spidermonkey-38.2.1_rc0: stabilization request | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | cronolio <salikov.alexey> |
| Component: | Stabilization | Assignee: | Mozilla Gentoo Team <mozilla> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | 1000110, emeric.maschino, gnome, pacho, salikov.alexey |
| Priority: | Normal | Keywords: | STABLEREQ |
| Version: | unspecified | Flags: | stable-bot:
sanity-check+
|
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: |
dev-lang/spidermonkey-38.2.1_rc0
|
Runtime testing required: | --- |
| Bug Depends on: | 631574 | ||
| Bug Blocks: | 618502, 631656 | ||
|
Description
cronolio
2017-05-27 14:07:05 UTC
So here's the thing: Spidermonley-38 was never officially released (it's a release candidate). It's also likely got vulnerabilities since it was rolled from firefox-38.2 and there were at least 5 additional 38.x versions of firefox since then that had various security fixes. Finally, upstream hasn't supported it for about 2 years now. All of that being said, if the cinnamon folks want to go stable and they need that version, then I'll sign off on it. GNOME 3.24 stabilization will need this as well. For GNOME purposes we need keywords matching gjs unless some get dropped to ~arch: alpha amd64 arm ia64 ppc ppc64 x86 (In reply to Ian Stakenvicius from comment #1) > So here's the thing: > > Spidermonley-38 was never officially released (it's a release candidate). > It's also likely got vulnerabilities since it was rolled from firefox-38.2 > and there were at least 5 additional 38.x versions of firefox since then > that had various security fixes. Finally, upstream hasn't supported it for > about 2 years now. > > All of that being said, if the cinnamon folks want to go stable and they > need that version, then I'll sign off on it. In Fedora they avoid that issues packaging JS from Firefox as shown in: https://src.fedoraproject.org/rpms/mozjs38/blob/master/f/mozjs38.spec In that case their mozjs package is based on firefox 38.8.0. Why are we relying on spidermonkey from https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey/Releases/38 ? Thanks That would be because the upstream "release", whatever that may be, is the most common base point for the various distros and projects to use. We can certainly roll it from firefox-38.8 though if that would improve matters for gnome; i'll work on that in the next day or two and if it tests well we can up the version for stabilization Hello, any updates on this? Thanks :) ping, lets try to not block already late gnome-3.24 stabilization with this. ping^2 @ mozilla Go ahead with 38.2.1_rc0. Please CC arches on whatever you need for gnome-3.24, I'd prefer to leave the rest keyworded ~arch. Looks like for some reason dev-libs/gjs has a lot of keywords that aren't actually needed by anything. All current (non-9999) consumers appear to be stable on amd64 and x86 only. So we can live with dropping stable gjs keywords for the rest probably. Reducing CC list accordingly for now. cjs already is only amd64/x86. grepped around in the wrong machines wrong outdated git repo, so missed that gnome-menus and libsecret need it too, but I think they can survive with old stable for now and some package.use.mask'ing test later on. At least until gjs is back to up to date ESRs (they already might be, we are just outdated too). That said, :38 is probably more secure than :24, that those tests would pull in on stable systems, when left like this. x86 stable amd64 stable |
