[MIR] mozjs38

Bug #1683937 reported by Jeremy Bícha
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mozjs38 (Ubuntu)
Fix Released
Undecided
Mathieu Trudel-Lapierre

Bug Description

Availability
============
Ubuntu is a bit ahead of Debian here but the mozjs packages are maintained in Debian. I have an ITP filed (#860396) to maintain this with the Debian pkg-gnome team since I don't think anyone else wants the burden of maintaining it.

Built for all supported architectures.

Rationale
=========
Required by gjs (LP: #1683989) which is required by GNOME Shell. Beside gnome-shell, gjs is also used by these apps which might be in a default Ubuntu install.
* gnome-characters
* gnome-documents
* gnome-maps
* gnome-sushi
* gnome-weather

Security
========
mozjs38 is Firefox's SpiderMonkey JavaScript engine. Therefore, it gets lots of CVEs (not all Firefox CVEs affect mozjs but there are several that do).

https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr38.8

Here's how things have improved in the past 6 months though. GNOME 3.22 was still using mozjs24 which is several years out of date. For GNOME 3.24, Philip Chimento (the gjs developer) ported to mozjs31 and then mozjs38. He currently expects to finish the port all the way to mozjs52 for GNOME 3.26 https://bugzilla.gnome.org/781429 . Although it's too early to make a definitive decision, I think there's a good chance we will ship GNOME 3.26 in Ubuntu 17.04. mozjs52 corresponds with the current Firefox ESR release.

Until now, Mozilla didn't really handle Spidermonkey releases very well, doing one release per ESR cycle. mozjs is now being built as part of Mozilla's regular builds so I think we'll be able to get them to do regular releases too.

Each ESR is supported for about one year:
https://www.mozilla.org/en-US/firefox/organizations/faq/

We no longer install the /usr/bin/js binary.

For 17.04, I updated the package to use the last Firefox 38 ESR as its base (LP: #1683103)

Quality assurance
=================
- Ubuntu Desktop Bugs is subscribed to this package.

https://bugs.launchpad.net/ubuntu/+source/mozjs38

Upstream build tests are being run now using dh_auto_test. Failing tests do not fail the build on arm64, ppc64el, and s390x until we handle https://bugzilla.mozilla.org/1357593

No autopkgtests.

Partly because of how old mozjs38 is, we build with autoconf2.13 and have several patches. Hopefully, those won't be needed with mozjs52.

Dependencies
============
check-mir reports all other binary dependencies are in main

Standards compliance
====================
3.9.8

Maintenance
===========
- Actively developed upstream

Background information
======================
Of course, there's a Long Term Support problem with this package.

Red Hat Enterprise Linux has begun working around this issue by fully upgrading the GNOME stack periodically. (RHEL 7 shipped with GNOME 3.8; 7.2 updated it to 3.14. GNOME 3.22 might come later this year.

Most other GNOME LTS distros (like Debian and SUSE) don't upgrade mozjs.

I expect we will be able to drop mozjs24 from the archives before 18.04 LTS. The developers of the packages using it are working on porting to mozjs38 now. Maybe they can port to mozjs52 before 18.04 LTS too.

Packaging is at
https://anonscm.debian.org/git/pkg-gnome/mozjs38.git or
https://git.launchpad.net/~jbicha/ubuntu/+source/mozjs38/

Jeremy Bícha (jbicha)
description: updated
Jeremy Bícha (jbicha)
description: updated
Jeremy Bícha (jbicha)
description: updated
Michael Terry (mterry)
Changed in mozjs38 (Ubuntu):
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

This package should get a thorough security review as part of the MIR given its nature of being a Javascript engine. I will do the rest of the MIR review in parallel.

Changed in mozjs38 (Ubuntu):
milestone: none → ubuntu-17.05
assignee: Mathieu Trudel-Lapierre (cyphermox) → Ubuntu Security Team (ubuntu-security)
Jeremy Bícha (jbicha)
description: updated
Jeremy Bícha (jbicha)
description: updated
Revision history for this message
Emily Ratliff (emilyr) wrote :

Security team ack with caveat that we can only agree to best effort security support at this time due to the upstream support model. This caveat is documented in the Security Team FAQ on the wiki. https://wiki.ubuntu.com/SecurityTeam/FAQ#mozjs
We will continue exploring options for the security support strategy with the Desktop team.

Changed in mozjs38 (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Jeremy Bícha (jbicha)
description: updated
Changed in mozjs38 (Ubuntu):
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

MIR approved.

Changed in mozjs38 (Ubuntu):
status: New → Fix Committed
Revision history for this message
Didier Roche-Tolomelli (didrocks) wrote :

Override component to main
mozjs38 38.8.0~repack1-0ubuntu1 in artful: universe/libs -> main
libmozjs-38-0 38.8.0~repack1-0ubuntu1 in artful amd64: universe/libs/optional/100% -> main
libmozjs-38-0 38.8.0~repack1-0ubuntu1 in artful arm64: universe/libs/optional/100% -> main
libmozjs-38-0 38.8.0~repack1-0ubuntu1 in artful armhf: universe/libs/optional/100% -> main
libmozjs-38-0 38.8.0~repack1-0ubuntu1 in artful i386: universe/libs/optional/100% -> main
libmozjs-38-0 38.8.0~repack1-0ubuntu1 in artful ppc64el: universe/libs/optional/100% -> main
libmozjs-38-0 38.8.0~repack1-0ubuntu1 in artful s390x: universe/libs/optional/100% -> main
libmozjs-38-dev 38.8.0~repack1-0ubuntu1 in artful amd64: universe/libdevel/optional/100% -> main
libmozjs-38-dev 38.8.0~repack1-0ubuntu1 in artful arm64: universe/libdevel/optional/100% -> main
libmozjs-38-dev 38.8.0~repack1-0ubuntu1 in artful armhf: universe/libdevel/optional/100% -> main
libmozjs-38-dev 38.8.0~repack1-0ubuntu1 in artful i386: universe/libdevel/optional/100% -> main
libmozjs-38-dev 38.8.0~repack1-0ubuntu1 in artful ppc64el: universe/libdevel/optional/100% -> main
libmozjs-38-dev 38.8.0~repack1-0ubuntu1 in artful s390x: universe/libdevel/optional/100% -> main
Override [y|N]? y
13 publications overridden.

Changed in mozjs38 (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.