Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 311167 - net-libs/xulrunner-1.9.2.2 does not respect LDFLAGS plus installs a redundant dev-libs/nss copy
Summary: net-libs/xulrunner-1.9.2.2 does not respect LDFLAGS plus installs a redundant...
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Library (show other bugs)
Hardware: All Linux
: High QA
Assignee: Mozilla Gentoo Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: ldflags
  Show dependency tree
 
Reported: 2010-03-24 19:13 UTC by Doktor Notor
Modified: 2010-08-09 21:00 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Doktor Notor 2010-03-24 19:13:37 UTC
* QA Notice: Files built without respecting LDFLAGS have been detected
 *  Please include the following list of files in your report:
 * /usr/lib/xulrunner-1.9.2/libssl3.so
 * /usr/lib/xulrunner-1.9.2/libsoftokn3.so
 * /usr/lib/xulrunner-1.9.2/libnss3.so
 * /usr/lib/xulrunner-1.9.2/libnssckbi.so
 * /usr/lib/xulrunner-1.9.2/libnssdbm3.so
 * /usr/lib/xulrunner-1.9.2/libfreebl3.so
 * /usr/lib/xulrunner-1.9.2/libnssutil3.so
 * /usr/lib/xulrunner-1.9.2/libsmime3.so
Comment 1 Doktor Notor 2010-03-24 19:35:04 UTC
And on another note, why does this thing bundle entire dev-libs/nss at all?
Comment 2 Rafał Mużyło 2010-03-24 19:48:43 UTC
That's just the thing - it should not.

The problem here is that one of the checks is for nss 3.12.6,
while the latest in portage is 3.12.5.

What's more, for the moment I can't find a tarball of 3.12.6 in any of the obvious places, though it seems it was properly announced about a week ago.
Comment 3 Doktor Notor 2010-03-24 20:04:58 UTC
(In reply to comment #2)
> What's more, for the moment I can't find a tarball of 3.12.6 in any of the
> obvious places, though it seems it was properly announced about a week ago.

That's be more than two weeks ago.  

http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/67563d451d4a52f6

If it's nowhere to be find and is really requires, can we poke upstream about this bogus announcement instead of installing redundant stuff that will become vulnerable sooner or later? :)
Comment 4 Rafał Mużyło 2010-03-24 20:18:33 UTC
I don't think it's a bogus announcement,
it more like a bogus release policy:
as its primary target is mozilla/firefox, not other
downstream targets and those two (three, if you add thunderbird)
carry around the whole tree, separate tarballs don't get proper care.
Comment 6 Rafał Mużyło 2010-03-24 21:37:07 UTC
Tarball in redhat rpm is too stripped down,
one from mandrake did build fine.
Comment 7 Nirbheek Chauhan (RETIRED) gentoo-dev 2010-03-24 22:34:00 UTC
This is fixed with 1.9.2.2-r1 by a gentoo bump to 3.12.6 for nss with sources extracted from firefox-3.6.2.source.tar.bz2.
Comment 8 Doktor Notor 2010-03-25 01:07:49 UTC
(In reply to comment #7)
> This is fixed with 1.9.2.2-r1 by a gentoo bump to 3.12.6 for nss with sources
> extracted from firefox-3.6.2.source.tar.bz2.
> 

Meh... BTW - https://bugzilla.mozilla.org/show_bug.cgi?id=550231: 21 days without any reply and counting. Upstream-- and brown paperbag for them.