Ian Zimmerman wrote: > On 2018-04-01 16:29, Martin Vaeth wrote: > >> An alarm sign for me was that palemoon was eventually dropped for >> android after being practically unmaintained (i.e. with known open >> security holes) for months/years. A similar alarm sign concerning >> linux is that they were not able to pull the fixes for the assembler >> code which relied on undocumented behaviour of <=gcc-5, even months >> after gcc-7 was out. Even if these problems are not marked as >> "security" issues, they can easily be some. > WTH is even assembly code _doing_ in a browser?? That is insane. > > now that I know this is the reason why palemoon needs gcc 4, I will > definitely look into it more closely. > >
Just for giggles, I tried to re-emerge palemoon. This is part of the output I got. >>> Running pre-merge checks for www-client/palemoon-27.8.3 * Checking for at least 7 GiB disk space at "/var/tmp/portage/www-client/palemoon-27.8.3/temp" ... [ ok ] * Checking compiler profile... * Building Pale Moon with a compiler other than a supported gcc version * may result in an unstable build. * You can use gcc-config to change your compiler profile, just remember * to change it back afterwards. * You need to have the appropriate versions of gcc installed for them * to be shown in gcc-config. * Alternatively, you can set the PALEMOON_ENABLE_UNSUPPORTED_COMPILERS * environment variable to 1 either by exporting it from the current shell * or by adding it to your make.conf file. * Be aware though that building Pale Moon with an unsupported compiler * means that the official support channels may refuse to offer any * kind of help in case the build fails or the browser behaves incorrectly. * Supported GCC versions: 4.7, 4.9 * Selected GCC version: 6.4 * ERROR: www-client/palemoon-27.8.3::palemoon failed (pretend phase): * (no error message) * * Call stack: * ebuild.sh, line 124: Called pkg_pretend * ebuild.sh, line 357: Called palemoon-4_pkg_pretend * palemoon-4.eclass, line 22: Called die * The specific snippet of code: * die * * If you need support, post the output of `emerge --info '=www-client/palemoon-27.8.3::palemoon'`, * the complete build log and the output of `emerge -pqv '=www-client/palemoon-27.8.3::palemoon'`. * The complete build log is located at '/var/log/portage/www-client:palemoon-27.8.3:20180401-230351.log'. * For convenience, a symlink to the build log is located at '/var/tmp/portage/www-client/palemoon-27.8.3/temp/build.log'. * The ebuild environment file is located at '/var/tmp/portage/www-client/palemoon-27.8.3/temp/die.env'. * Working directory: '/var/tmp/portage/www-client/palemoon-27.8.3/homedir' * S: '/var/tmp/portage/www-client/palemoon-27.8.3/work/palemoon-27.8.3' That is from the overlay palemoon and the latest version of it. So, it still depends on a old version of gcc which considering the age of it, is sort of odd. Why has that not been updated? Is it updatable or is it going to require some serious time consuming effort to do so and there are not enough people to do it? The overlay I might add, has the latest version of Palemoon according to the website. It's not the overlay that is running behind, it's palemoon itself. I admit, I wish things didn't have to update so often at times BUT for some things, it just has to be that way. I don't worry about security issues with something like Kwrite or Okular but I do worry about it with things like web browsers that I use to make purchases or check on financial websites such as banks etc. I want those to be secure as possible even if it means updating each week. This is interesting. Others who use palemoon may at least want to be aware of it. Dale :-) :-)
