Comment 1 NATTkA bot 2021-08-18 20:04:23 UTC

Sanity check failed:

> www-client/firefox-91.0.1
>   depend amd64 stable profile default/linux/amd64/17.1 (35 total)
>     >=dev-libs/nspr-4.32
>     >=dev-libs/nss-3.68
>   depend amd64 dev profile default/linux/amd64/17.1/no-multilib/systemd (1 total)
>     >=dev-libs/nspr-4.32
>     >=dev-libs/nss-3.68
>   rdepend amd64 stable profile default/linux/amd64/17.1 (35 total)
>     >=dev-libs/nspr-4.32
>     >=dev-libs/nss-3.68
>   rdepend amd64 dev profile default/linux/amd64/17.1/no-multilib/systemd (1 total)
>     >=dev-libs/nspr-4.32
>     >=dev-libs/nss-3.68

Comment 2 Thomas Deutschmann (RETIRED) 2021-08-18 22:04:45 UTC

We do not stabilize non-ESR version.

Comment 3 John Helmert III 2021-08-18 23:35:22 UTC

(In reply to Thomas Deutschmann from comment #2)
> We do not stabilize non-ESR version.

91.0.1 is an ESR release, isn't it?

https://www.mozilla.org/en-US/firefox/91.0.1esr/releasenotes/

If the vulnerability doesn't affect <91, then I suppose we don't need stabilization (since vulnerability only affected unstable versions), but is that the case?

(In reply to Thomas Deutschmann from comment #2)
> We do not stabilize non-ESR version.

Firefox-91.0 is ESR. Which makes it eligible of stabilization succeeding 78.x .

While 91 is now ESR, it seems that 78 ESR is still supported: https://wiki.mozilla.org/Release_Management/Calendar

Comment 6 Thomas Deutschmann (RETIRED) 2021-08-19 12:03:44 UTC

For the users:

Don't get confused by the fact that upstream is currently having two products with the same version (91.x). They are different branches: ESR and non-ESR

These branches have already started to slightly diverge. A firefox built from 91.0.1 tarball is not identical with a firefox 91.0.1 built from ESR tarball and would in addition receive different runtime settings from Mozilla's Normandy service if used.

While upstream has released a new ESR branch (91.x) this month, we do not have this version yet in Gentoo repository:

In Gentoo repository we currently have

> $ eshowkw www-client/firefox
> Keywords for www-client/firefox:
>           |                             |   u         |
>           | a   a     p s   a   r       |   n         |
>           | m   r h   p p   l i i m m s | e u s       | r
>           | d a m p p c a x p a s 6 i 3 | a s l       | e
>           | 6 r 6 p p 6 r 8 h 6 c 8 p 9 | p e o       | p
>           | 4 m 4 a c 4 c 6 a 4 v k s 0 | i d t       | o
> ----------+-----------------------------+-------------+-------
>   78.12.0 | + o + o o ~ o + o o o o o o | 7 # 0/esr78 | gentoo
>   78.13.0 | + o + o o ~ o + o o o o o o | 7 o         | gentoo
> ----------+-----------------------------+-------------+-------
> [I]90.0.2 | ~ o ~ o o ~ o ~ o o o o o o | 7 o 0/90    | gentoo
> ----------+-----------------------------+-------------+-------
>      91.0 | ~ o ~ o o ~ o ~ o o o o o o | 7 # 0/91    | gentoo
>    91.0.1 | ~ o ~ o o ~ o ~ o o o o o o | 7 o         | gentoo

BTW: 78.x ESR is still supported for the next two months.

Regarding this security bug: The vulnerability CVE-2021-29991 is about a vulnerability in HTTP/3 implementation _which is not present_ in 0/esr78 slot which is the only stable www-client/firefox version in Gentoo repository.

So I am closing this again as INVALID because there is nothing to stabilize for us here (=invalid call) which is reflected by the bug state "INVALID". :)