From owner-freebsd-gecko@freebsd.org Sun Mar 29 00:48:01 2020 Return-Path: Delivered-To: freebsd-gecko@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B74B826C5D6 for ; Sun, 29 Mar 2020 00:48:01 +0000 (UTC) (envelope-from jbeich@freebsd.org) Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org [IPv6:2610:1c1:1:606c::50:13]) by mx1.freebsd.org (Postfix) with ESMTP id 48qcQ675X3z4K7n for ; Sun, 29 Mar 2020 00:47:57 +0000 (UTC) (envelope-from jbeich@freebsd.org) Received: by mailman.nyi.freebsd.org (Postfix) id A4E7226C5D4; Sun, 29 Mar 2020 00:47:50 +0000 (UTC) Delivered-To: gecko@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8C9A526C5D3 for ; Sun, 29 Mar 2020 00:47:50 +0000 (UTC) (envelope-from jbeich@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48qcPx6Spsz4K5d; Sun, 29 Mar 2020 00:47:49 +0000 (UTC) (envelope-from jbeich@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1354) id 0E788AD12; Sun, 29 Mar 2020 00:47:41 +0000 (UTC) From: Jan Beich To: "Mikhail T." Cc: gecko@freebsd.org Subject: Re: Restoring seamonkey References: <857ef528-1dfd-12b6-6579-b03a137ff199@aldan.algebra.com> <9a797087-e769-3c50-3032-c71b41fab823@aldan.algebra.com> Date: Sun, 29 Mar 2020 01:47:42 +0100 Message-ID: <4ku8-x9zl-wny@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: freebsd-gecko@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gecko Rendering Engine issues List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Mar 2020 00:48:01 -0000 "Mikhail T." writes: > On 27.03.20 21:15, Jan Beich wrote: > >> Good luck: >> - 2.53.1 is still vulnerable >> - Upstream has unstable release cadence >> - ESR60 engine may not build with new dependencies >> - Expecting someone else to do the work >> > What, I wonder, made you think, I am expecting someone else to do the > work? My question was quite agnostic of /who/ would do it, just > /whether /it can/should be done... Lack of the homework. Patches do the talking better. > > If the fresh (February) release is still vulnerable, then, perhaps, it > should stay buried... Can you give example of a still-open CVE? I'm > staring at the list here > , > but can't see, what's still open... According to SeaMonkey 2.53.1 release notes the engine was updated to Firefox 60.2ser with security fixes up to Firefox 72. Current version of Firefox is 74 while 75 is expected next week. Finding applicable vulnerabilities requires checking the code e.g., trying every fix against SeaMonkey tree but assuming some rebase churn. >> I'm only opposed on using Mk/bsd.gecko.mk and having gecko@ as the maintainer. > I understand the latter, but not the former. As long as gecko@ are not > responsible for it, what's wrong with still using bsd.gecko.mk? portmgr@ expects ports/ to not break ports maintained by others. Being forced to test and avoid breaking bsd.gecko.mk consumers that I don't maintain is exhausting. Besides, the file has been planned for removal for months/years due to unnecessarily complicating maintenance. See www/cliqz for an example of a Firefox fork that doesn't use bsd.gecko.mk. > That said, if we're sticking to firefox and thunderbird /only/, maybe > the two can be modified to share more components -- libxul.so in > particular, but also others?.. At least then, running both on the same > machine will still share the shared libraries saving RAM... libxul.so is no longer the same between various Gecko-based projects. Even back when XULrunner was supported API/ABI wasn't compatible between major releases.