[MIR] mozjs38
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
mozjs38 (Ubuntu) |
Fix Released
|
Undecided
|
Mathieu Trudel-Lapierre |
Bug Description
Availability
============
Ubuntu is a bit ahead of Debian here but the mozjs packages are maintained in Debian. I have an ITP filed (#860396) to maintain this with the Debian pkg-gnome team since I don't think anyone else wants the burden of maintaining it.
Built for all supported architectures.
Rationale
=========
Required by gjs (LP: #1683989) which is required by GNOME Shell. Beside gnome-shell, gjs is also used by these apps which might be in a default Ubuntu install.
* gnome-characters
* gnome-documents
* gnome-maps
* gnome-sushi
* gnome-weather
Security
========
mozjs38 is Firefox's SpiderMonkey JavaScript engine. Therefore, it gets lots of CVEs (not all Firefox CVEs affect mozjs but there are several that do).
https:/
Here's how things have improved in the past 6 months though. GNOME 3.22 was still using mozjs24 which is several years out of date. For GNOME 3.24, Philip Chimento (the gjs developer) ported to mozjs31 and then mozjs38. He currently expects to finish the port all the way to mozjs52 for GNOME 3.26 https:/
Until now, Mozilla didn't really handle Spidermonkey releases very well, doing one release per ESR cycle. mozjs is now being built as part of Mozilla's regular builds so I think we'll be able to get them to do regular releases too.
Each ESR is supported for about one year:
https:/
We no longer install the /usr/bin/js binary.
For 17.04, I updated the package to use the last Firefox 38 ESR as its base (LP: #1683103)
Quality assurance
=================
- Ubuntu Desktop Bugs is subscribed to this package.
https:/
Upstream build tests are being run now using dh_auto_test. Failing tests do not fail the build on arm64, ppc64el, and s390x until we handle https:/
No autopkgtests.
Partly because of how old mozjs38 is, we build with autoconf2.13 and have several patches. Hopefully, those won't be needed with mozjs52.
Dependencies
============
check-mir reports all other binary dependencies are in main
Standards compliance
=======
3.9.8
Maintenance
===========
- Actively developed upstream
Background information
=======
Of course, there's a Long Term Support problem with this package.
Red Hat Enterprise Linux has begun working around this issue by fully upgrading the GNOME stack periodically. (RHEL 7 shipped with GNOME 3.8; 7.2 updated it to 3.14. GNOME 3.22 might come later this year.
Most other GNOME LTS distros (like Debian and SUSE) don't upgrade mozjs.
I expect we will be able to drop mozjs24 from the archives before 18.04 LTS. The developers of the packages using it are working on porting to mozjs38 now. Maybe they can port to mozjs52 before 18.04 LTS too.
Packaging is at
https:/
https:/
description: | updated |
description: | updated |
description: | updated |
Changed in mozjs38 (Ubuntu): | |
assignee: | nobody → Mathieu Trudel-Lapierre (cyphermox) |
description: | updated |
description: | updated |
description: | updated |
Changed in mozjs38 (Ubuntu): | |
assignee: | nobody → Mathieu Trudel-Lapierre (cyphermox) |
This package should get a thorough security review as part of the MIR given its nature of being a Javascript engine. I will do the rest of the MIR review in parallel.