Bug#1001234: src:firefox-esr: fails to migrate to testing for too long: FTBFS on mipsel and unresolved RC bug
On Thu, 9 Dec 2021 19:35:47 +0100 Paul Gevers wrote: Hi Piotr, Martin-Éric, Please stop bashing Mike. He's doing a great job. Hi Paul, I am not bashing anyone. My post was simply a copy of my e-mail I sent to Debian user group yesterday: https://lists.debian.org/debian-user/2021/12/msg00242.html My post also is here to raise awareness to this problem. I am worried. I don't (didn't until now) know who is a maintainer of firefox-esr. From what I gather here, it's Mike. I support him all the way, and I hope firefox-esr can be updated quickly. I honestly think that Debian should throw more resources at this problem, if it don't want to become a laughing stock in the community: https://www.phoronix.com/scan.php?page=news_item=Web-Browser-Packages-Debian 100+ posts and counting, all bashing on entire Debian project because of this. This bug was merely a procedure to raise awareness in case it was missing and is part of the Release Team way of working. The required action happened: the removal of the mipsel binary. All is good for the migration at this moment. That's good to hear. But didn't Mike just mentioned, that Firefox will not migrate to Stable, due to Rust compiler problems? There is work ongoing too for stable. Please remember we're all volunteers and supporting a browser in Debian Stable is just not easy. Of course, I support Debian volunteers and maintainers all the way! I'd like to point out the notes about security support for browsers in the Release Notes [1]. Link you posted, says, quote: "The package debian-security-support helps to track the security support status of installed packages. " I installed this package, and run it: check-support-status | grep firefox (zero results) Nowhere it says, that firefox-esr installed in my system is EOL and vulnerable to several CVEs. This should be updated. I am happy to fill bug against debian-security-support, do you want me to do that? Also, same chapter of Release Notes you linked, goes on to say, that: "For general web browser use we recommend Firefox or Chromium. They will be kept up-to-date by rebuilding the current ESR releases for stable. The same strategy will be applied for Thunderbird. " Debian has failed to deliver on that. "Recommended" browser in Debian Stable is EOL and vulnerable. And people are not aware of this as Release Notes and debian-security-support is not showing the problem. Release Notes should have been updated in November 2021, when firefox-esr went EOL, to reflect this. Do Release Notes for Bullseye receive "errata" updates? Shouldn't this be done right now? Debian should throw more resources at flagship browser problem! I sincerely hope this can be resolved quickly. We don't want people blaming Debian for virus infections due to unpatched Firefox being shipped in Stable. Paul [1] https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#limited-security-support I don't know development process in Stable, but shouldn't firefox-esr 78.15.0esr-1~deb11u1 be removed from bullseye servers? It's vulnerable and unusable in current state? Can it be removed at all? So people don't fall for this false sense of security? -- With kindest regards, Piotr. ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system ⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org/ ⠈⠳⣄
Bug#1001234: src:firefox-esr: fails to migrate to testing for too long: FTBFS on mipsel and unresolved RC bug
Hi Piotr, Martin-Éric, Please stop bashing Mike. He's doing a great job. This bug was merely a procedure to raise awareness in case it was missing and is part of the Release Team way of working. The required action happened: the removal of the mipsel binary. All is good for the migration at this moment. There is work ongoing too for stable. Please remember we're all volunteers and supporting a browser in Debian Stable is just not easy. I'd like to point out the notes about security support for browsers in the Release Notes [1]. Paul [1] https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#limited-security-support OpenPGP_signature Description: OpenPGP digital signature
Bug#1001234: src:firefox-esr: fails to migrate to testing for too long: FTBFS on mipsel and unresolved RC bug
On Wed, Dec 08, 2021 at 10:31:32AM +0200, Martin-Éric Racine wrote: > ke 8. jouluk. 2021 klo 9.41 Mike Hommey (m...@glandium.org) kirjoitti: > > On Wed, Dec 08, 2021 at 09:07:24AM +0200, Martin-Éric Racine wrote: > > > 91.4.0esr-1 was indeed uploaded. However, mipsel was not removed from the > > > list of architectures in the control file, so it attempted building. This > > > will likely prevent migration. > > > > I don't think removing the architecture from the control file would > > change anything wrt migration. > > It would. AFAIK you explicitly need to declare: > > Architecture: [!mipsel] > > ... instead of any. > > You'll also need to contact mipsel admins to ask them to remove the > package from their port. Removing the package is going to be necessary either way. I don't think the lack of control change will prevent migration once the package is removed. > > > Better care in maintaining this package would be appreciated. CVE fixes > > > have yet to trickle into Testing or be uploaded to Stable-Updates for > > > over 60 days. That's not acceptable. > > > > For stable, it's not under my control. > > Fair enough. > > > AFAIK, the necessary rust compiler is still not available yet. > > Which is inexcusable. 78 end of life was announced well ahead of time. > There was plenty of time to prepare for this. You can vent all you want, but that's not my fault. Mike
Bug#1001234: src:firefox-esr: fails to migrate to testing for too long: FTBFS on mipsel and unresolved RC bug
ke 8. jouluk. 2021 klo 9.41 Mike Hommey (m...@glandium.org) kirjoitti: > On Wed, Dec 08, 2021 at 09:07:24AM +0200, Martin-Éric Racine wrote: > > 91.4.0esr-1 was indeed uploaded. However, mipsel was not removed from the > > list of architectures in the control file, so it attempted building. This > > will likely prevent migration. > > I don't think removing the architecture from the control file would > change anything wrt migration. It would. AFAIK you explicitly need to declare: Architecture: [!mipsel] ... instead of any. You'll also need to contact mipsel admins to ask them to remove the package from their port. > > Better care in maintaining this package would be appreciated. CVE fixes > > have yet to trickle into Testing or be uploaded to Stable-Updates for over > > 60 days. That's not acceptable. > > For stable, it's not under my control. Fair enough. > AFAIK, the necessary rust compiler is still not available yet. Which is inexcusable. 78 end of life was announced well ahead of time. There was plenty of time to prepare for this. Martin-Éric
Bug#1001234: src:firefox-esr: fails to migrate to testing for too long: FTBFS on mipsel and unresolved RC bug
On Wed, Dec 08, 2021 at 09:07:24AM +0200, Martin-Éric Racine wrote: > Package: firefox-esr > Version: 78.15.0esr-1~deb11u1 > Followup-For: Bug #1001234 > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > 91.4.0esr-1 was indeed uploaded. However, mipsel was not removed from the > list of architectures in the control file, so it attempted building. This > will likely prevent migration. I don't think removing the architecture from the control file would change anything wrt migration. > Better care in maintaining this package would be appreciated. CVE fixes have > yet to trickle into Testing or be uploaded to Stable-Updates for over 60 > days. That's not acceptable. For stable, it's not under my control. AFAIK, the necessary rust compiler is still not available yet. Mike
Bug#1001234: src:firefox-esr: fails to migrate to testing for too long: FTBFS on mipsel and unresolved RC bug
Package: firefox-esr Version: 78.15.0esr-1~deb11u1 Followup-For: Bug #1001234 -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 91.4.0esr-1 was indeed uploaded. However, mipsel was not removed from the list of architectures in the control file, so it attempted building. This will likely prevent migration. Better care in maintaining this package would be appreciated. CVE fixes have yet to trickle into Testing or be uploaded to Stable-Updates for over 60 days. That's not acceptable. Martin-Éric -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEyJACx3qL7GpObXOQrh+Cd8S017YFAmGwWasACgkQrh+Cd8S0 17bKIA//QwVaZSjj17lL/tzje02i5CD1K4VNKTjSutNsQoJqa8YbBjSpbSl+qEsI Wwo0lYYFWA6D7I6dyQsErsLEHlC4V0QI/LbHC1aY097OAQf1zj/yGPIYlDyFOpxW oxOnWgSIXUwhNZbVdLm96kgjmHYPqZksJe9ZNqMwST8krtoRVnMdHlR0dqfZEYlq sskO6WPS4q52HzC8mmgzUY8aLcUQB36G1SbR4laQJHVH7NJoimQWVf2IwG5YOyZn A+OD0Gy8mN1E0dx4ALwxao8A6HrXik0uqiaSY2hbnxGy4tI+8JHgx5O1zq9fWvaI t6Hdnq77izrp7f+s/vozYK+GJaliz0HAJ9dUlogns4aYnbVppKV0bUMe/cAVP6Y0 4kPWuanKc5fetoa9bAYv1mcdhfD/ff7wVKHYGGVIrE+yW45S1eWoZ3R+FWzAuHx0 vHV2tgy+K25p09M078FHWal1SZkyzkgRrWnPEtLA5xppE9iNoiycanX4jOskSG2i 58P/x3vUfk/QqeeEkPLbwZGKjxNqSkCqZGiAsBHJXA+674vaHzm5dddWQQd2buNz iG67aB88yzfn0kcbZWlfoZWRqhDfXshnYA5pJ7jj0HC26Zc0C0uSC3ser/5KICtL WZwAfouqAIJPREp8l5VTaoN4W/8A+TL2EwpDiS7ZT8VYCdvhTn4= =HoFh -END PGP SIGNATURE-
Bug#1001234: src:firefox-esr: fails to migrate to testing for too long: FTBFS on mipsel and unresolved RC bug
Hi Mike, On 06-12-2021 23:07, Mike Hommey wrote: The FTBFS on mipsel is not going to go away ever. The rust compiler needs more than 2GB of memory to compile a specific crate in Firefox, and processes on mipsel can only get 2GB memory. The only way around that would be to cross-compile, which Debian doesn't do as of today. We'll have to remove firefox-esr on mipsel. You'd want to file a removal bug against ftp.debian.org to achieve that. It won't happen automagically. Paul OpenPGP_signature Description: OpenPGP digital signature
Bug#1001234: src:firefox-esr: fails to migrate to testing for too long: FTBFS on mipsel and unresolved RC bug
On Mon, Dec 06, 2021 at 09:01:24PM +0100, Paul Gevers wrote: > Source: firefox-esr > Version: 78.14.0esr-1 > Severity: serious > Tags: sid bookworm ftbfs > User: release.debian@packages.debian.org > Usertags: out-of-sync > Control: block -1 by 998679 > > Dear maintainer(s), > > The Release Team considers packages that are out-of-sync between testing and > unstable for more than 60 days as having a Release Critical bug in testing > [1]. Your package src:firefox-esr has been trying to migrate for 61 days > [2]. Hence, I am filing this bug. You have an unresolved RC bug and the > latest uploaded FTBFS on mipsel. The RC bug is going to be fixed today with a new upstream. The FTBFS on mipsel is not going to go away ever. The rust compiler needs more than 2GB of memory to compile a specific crate in Firefox, and processes on mipsel can only get 2GB memory. The only way around that would be to cross-compile, which Debian doesn't do as of today. We'll have to remove firefox-esr on mipsel. Mike
Bug#1001234: src:firefox-esr: fails to migrate to testing for too long: FTBFS on mipsel and unresolved RC bug
Source: firefox-esr Version: 78.14.0esr-1 Severity: serious Tags: sid bookworm ftbfs User: release.debian@packages.debian.org Usertags: out-of-sync Control: block -1 by 998679 Dear maintainer(s), The Release Team considers packages that are out-of-sync between testing and unstable for more than 60 days as having a Release Critical bug in testing [1]. Your package src:firefox-esr has been trying to migrate for 61 days [2]. Hence, I am filing this bug. You have an unresolved RC bug and the latest uploaded FTBFS on mipsel. If a package is out of sync between unstable and testing for a longer period, this usually means that bugs in the package in testing cannot be fixed via unstable. Additionally, blocked packages can have impact on other packages, which makes preparing for the release more difficult. Finally, it often exposes issues with the package and/or its (reverse-)dependencies. We expect maintainers to fix issues that hamper the migration of their package in a timely manner. This bug will trigger auto-removal when appropriate. As with all new bugs, there will be at least 30 days before the package is auto-removed. I have tagged this bug to only affect sid and bookworm, so it doesn't affect (old-)stable. If you believe your package is unable to migrate to testing due to issues beyond your control, don't hesitate to contact the Release Team. Paul [1] https://lists.debian.org/debian-devel-announce/2020/02/msg5.html [2] https://qa.debian.org/excuses.php?package=firefox-esr OpenPGP_signature Description: OpenPGP digital signature
