2009/3/24 Sascha Silbe <sascha-ml-ui-sugar-de...@silbe.org>: > Hello! > > Short summary: > If you're using sugar-jhbuild on Debian, please run "cd sugar-jhbuild && rm > -rf source/mozilla source/hulahop install && ./sugar-jhbuild build" before > using anything web-related the next time. > Otherwise (i.e. not running on Debian), please make sure > sugar-jhbuild/source/mozilla does not exist (if it does exist, execute the > commands given above as well). > > > Long explanation: > xulrunner has had a security update. Most of you will we be unaffected as > we're using the distro package if we can (you do install distro security > updates regularly, do you?). But for Debian sid+squeeze, we need to use our > own copy due to path mismatches. > Usually this wouldn't be a big deal, as sugar-jhbuild is meant to pull the > latest version of each package and build it, so taking care of security > updates automatically. Unfortunately, this does NOT work properly for > tarballs: if any previous tarball has been extracted, any updated version > will be left untouched! So to build the updated version, you need to remove > the entire "sugar-jhbuild/source/mozilla" directory. > As xulrunner uses the full version number inside directories (*), you need > to ensure no outdated version is still installed and hulahop gets rebuilt > from scratch. The easiest way to do that is to remove the directories > "sugar-jhbuild/source/hulahop" and "sugar-jhbuild/install". Run a full build > ("./sugar-jhbuild build") afterwards. > > > (*) Incidentally, Debian fixed this (so installing the updated package > should have been enough, no rebuild of hulahop needed). Unfortunately, all > other distros (including Ubuntu) use the same paths as upstream... > Seems like Mozilla products suck a lot regarding security updates (see > the note about Iceweasel in the etch release notes as well). :(
Yes, this means that Ubuntu needs the hulahop package to be rebuilt and pushed out as an update every time there is a Firefox/xulrunner security update. Since hulahop is in universe ("community maintained") the update procedure doesn't have a very high priority, and requires multiple people to enable the -proposed repos and test before it is pushed out to -updates - for each supported distro release. I must go through the process for intrepid and hardy again, because there was yet another rev to xulrunner - I think the previous hardy update to hulahop was never even pushed out because nobody other than me tested it and we need at least two ACKs. This is a dilemma - nobody uses the hardy packages because "they're always broken" - but we can't fix them unless somebody uses them, even if only to test... Anybody interested in helping, please join the Ubuntu Sugar Team mailing list mentioned on https://wiki.ubuntu.com/SugarTeam. Regards Morgan _______________________________________________ Sugar-devel mailing list Sugar-devel@lists.sugarlabs.org http://lists.sugarlabs.org/listinfo/sugar-devel