Please stabilize, thanks!
Sanity check failed: > www-client/firefox-91.0.1 > depend amd64 stable profile default/linux/amd64/17.1 (35 total) > >=dev-libs/nspr-4.32 > >=dev-libs/nss-3.68 > depend amd64 dev profile default/linux/amd64/17.1/no-multilib/systemd (1 total) > >=dev-libs/nspr-4.32 > >=dev-libs/nss-3.68 > rdepend amd64 stable profile default/linux/amd64/17.1 (35 total) > >=dev-libs/nspr-4.32 > >=dev-libs/nss-3.68 > rdepend amd64 dev profile default/linux/amd64/17.1/no-multilib/systemd (1 total) > >=dev-libs/nspr-4.32 > >=dev-libs/nss-3.68
We do not stabilize non-ESR version.
(In reply to Thomas Deutschmann from comment #2) > We do not stabilize non-ESR version. 91.0.1 is an ESR release, isn't it? https://www.mozilla.org/en-US/firefox/91.0.1esr/releasenotes/ If the vulnerability doesn't affect <91, then I suppose we don't need stabilization (since vulnerability only affected unstable versions), but is that the case?
(In reply to Thomas Deutschmann from comment #2) > We do not stabilize non-ESR version. Firefox-91.0 is ESR. Which makes it eligible of stabilization succeeding 78.x .
While 91 is now ESR, it seems that 78 ESR is still supported: https://wiki.mozilla.org/Release_Management/Calendar
For the users: Don't get confused by the fact that upstream is currently having two products with the same version (91.x). They are different branches: ESR and non-ESR These branches have already started to slightly diverge. A firefox built from 91.0.1 tarball is not identical with a firefox 91.0.1 built from ESR tarball and would in addition receive different runtime settings from Mozilla's Normandy service if used. While upstream has released a new ESR branch (91.x) this month, we do not have this version yet in Gentoo repository: In Gentoo repository we currently have > $ eshowkw www-client/firefox > Keywords for www-client/firefox: > | | u | > | a a p s a r | n | > | m r h p p l i i m m s | e u s | r > | d a m p p c a x p a s 6 i 3 | a s l | e > | 6 r 6 p p 6 r 8 h 6 c 8 p 9 | p e o | p > | 4 m 4 a c 4 c 6 a 4 v k s 0 | i d t | o > ----------+-----------------------------+-------------+------- > 78.12.0 | + o + o o ~ o + o o o o o o | 7 # 0/esr78 | gentoo > 78.13.0 | + o + o o ~ o + o o o o o o | 7 o | gentoo > ----------+-----------------------------+-------------+------- > [I]90.0.2 | ~ o ~ o o ~ o ~ o o o o o o | 7 o 0/90 | gentoo > ----------+-----------------------------+-------------+------- > 91.0 | ~ o ~ o o ~ o ~ o o o o o o | 7 # 0/91 | gentoo > 91.0.1 | ~ o ~ o o ~ o ~ o o o o o o | 7 o | gentoo BTW: 78.x ESR is still supported for the next two months. Regarding this security bug: The vulnerability CVE-2021-29991 is about a vulnerability in HTTP/3 implementation _which is not present_ in 0/esr78 slot which is the only stable www-client/firefox version in Gentoo repository. So I am closing this again as INVALID because there is nothing to stabilize for us here (=invalid call) which is reflected by the bug state "INVALID". :)