Re: [Bug-gnuzilla] IceCat and security updates

[Gary]

q.v. 
https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/--
http://gnuzilla.gnu.org

Re: [Bug-gnuzilla] IceCat and security updates

[Mark H Weaver]

Mart Rootamm  writes:

> As and when Mozilla releases 60.6.2 or 60.7.0, there quickly needs to
> be a new build because of an upstream brouhaha involving the expiry of
> an intermediate signing certificate that disabled all extensions.
>
> To mitigate the issue, existing users can set
>
> xpinstall.signatures.required
>
> to false
>
> in about:config.

This mitigation sounds like a bad idea to me.  You could be leaving
yourself open to getting hacked by a man-in-the-middle.

  Mark

--
http://gnuzilla.gnu.org

Re: [Bug-gnuzilla] IceCat and security updates

[Mart Rootamm]

As and when Mozilla releases 60.6.2 or 60.7.0, there quickly needs to
be a new build because of an upstream brouhaha involving the expiry of
an intermediate signing certificate that disabled all extensions.

To mitigate the issue, existing users can set

xpinstall.signatures.required

to false

in about:config.

-M.

2019-05-04 5:29 GMT +03:00, Mike Gerwitz :
> On Fri, May 03, 2019 at 15:48:34 -0400, Mark H Weaver wrote:
>>> Is there any reason why IceCat is skipping updates?
>>
>> It's due to lack of developer resources.
>
> I talked to Rubén (the current maintainer) at LibrePlanet and he doesn't
> have the time, and would appreciate any help that anyone can
> provide.  If anyone is interested, get in touch with us at
> maintain...@gnu.org.
>
> --
> Mike Gerwitz
> Free Software Hacker+Activist | GNU Maintainer & Volunteer
> GPG: D6E9 B930 028A 6C38 F43B  2388 FEF6 3574 5E6F 6D05
> https://mikegerwitz.com
>

--
http://gnuzilla.gnu.org

Re: [Bug-gnuzilla] IceCat and security updates

[Mike Gerwitz]

On Fri, May 03, 2019 at 15:48:34 -0400, Mark H Weaver wrote:
>> Is there any reason why IceCat is skipping updates?
>
> It's due to lack of developer resources.

I talked to Rubén (the current maintainer) at LibrePlanet and he doesn't
have the time, and would appreciate any help that anyone can
provide.  If anyone is interested, get in touch with us at
maintain...@gnu.org.

-- 
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B  2388 FEF6 3574 5E6F 6D05
https://mikegerwitz.com


signature.asc
Description: PGP signature
--
http://gnuzilla.gnu.org

Re: [Bug-gnuzilla] IceCat and security updates

[Mark H Weaver]

 writes:

> Currently, the last version of IceCat is 60.3.0 while the last version
> of Firefox ESR is 60.6.1. Doesn't that make IceCat exposed to security
> vulnerabilities
> (https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/)
> already fixed on Firefox?

You're right, and I agree that it's a very serious problem.

In GNU Guix  we keep our IceCat package
up-to-date by promptly running the 'makeicecat' script on the latest
Firefox ESR release whenever Mozilla issues security updates.  We had to
abandon use of the IceCat-provided source tarballs for the reason you
mention.

You could use the IceCat from Guix, or you could run the 'makeicecat'
script yourself to produce an up-to-date IceCat source tarball from the
corresponding Firefox ESR source tarball.  You can find 'makeicecat' in
the Gnuzilla git repository, here:

  http://git.savannah.gnu.org/cgit/gnuzilla.git

I'm sorry that I don't have a better answer for you.

> Is there any reason why IceCat is skipping updates?

It's due to lack of developer resources.

   Mark

--
http://gnuzilla.gnu.org