2017-04-18 20:47:03 |
Jeremy Bícha |
bug |
|
|
added bug |
2017-04-18 20:48:04 |
Jeremy Bícha |
bug |
|
|
added subscriber MIR approval team |
2017-04-18 20:50:56 |
Jeremy Bícha |
description |
Availability
============
Ubuntu is a bit ahead of Debian here but the mozjs packages are maintained in Debian. I have an ITP filed (#860396) to maintain this with the Debian pkg-gnome team since I don't think anyone else wants the burden of maintaining it.
Built for all supported architectures.
Rationale
=========
Required by gjs which is required by GNOME Shell. Beside gnoem-shell, it is also used by these apps which might be in a default Ubuntu install.
* gnome-characters
* gnome-documents
* gnome-maps
* gnome-weather
Security
========
mozjs38 is Firefox's SpiderMonkey JavaScript engine. Therefore, it gets lots of CVEs (not all Firefox CVEs affect mozjs but there are several that do).
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr38.8
Here's how things have improved in the past 6 months though. GNOME 3.22 was still using mozjs24 which is several years out of date. For GNOME 3.24, Philip Chimento the gjs developer ported to mozjs31 and then mozjs38. He currently expects to finish the port all the way to mozjs52 for GNOME 3.26 https://bugzilla.gnome.org/781429 . Although it's too early to make a definitive decision, I think there's a good chance we will ship GNOME 3.26 in Ubuntu 17.04. mozjs52 corresponds with the current Firefox ESR release.
Until now, Mozilla didn't really handle Spidermonkey releases very well, doing one release per ESR cycle. mozjs is now being built as part of Mozilla's regular builds so I think we'll be able to get them to do regular releases too.
Each ESR is supported for about one year:
https://www.mozilla.org/en-US/firefox/organizations/faq/
We no longer install the /usr/bin/js binary.
For 17.04, I am upgrading mozjs to use the last Firefox 38 ESR as its base (LP: #1683103).
Quality assurance
=================
- Please subscribe Ubuntu Desktop Bugs to this package.
https://bugs.launchpad.net/ubuntu/+source/mozjs38
Upstream build tests are being run now using dh_auto_test. Failing tests do not fail the build on arm64, ppc64el, and s390x until we figure out how to fix 3 tests on those architectures.
No autopkgtests.
Partly because of how old mozjs38 is, we build with autoconf2.13 and have several patches. Hopefully, those won't be needed with mozjs52.
Dependencies
============
check-mir reports all other binary dependencies are in main
Standards compliance
====================
3.9.8
Maintenance
===========
- Actively developed upstream
Background information
======================
Of course, there's a Long Term Support problem with this package.
Red Hat Enterprise Linux has begun working around this issue by fully upgrading the GNOME stack periodically. (RHEL 7 shipped with GNOME 3.8; 7.2 updated it to 3.14. GNOME 3.22 might come later this year.
Most other GNOME LTS distros (like Debian and SUSE) don't upgrade mozjs.
I expect we will be able to drop mozjs24 from the archives before 18.04 LTS. The developers of the packages using it are working on porting to mozjs38 now. Maybe they can port to mozjs52 before 18.04 LTS too. |
Availability
============
Ubuntu is a bit ahead of Debian here but the mozjs packages are maintained in Debian. I have an ITP filed (#860396) to maintain this with the Debian pkg-gnome team since I don't think anyone else wants the burden of maintaining it.
Built for all supported architectures.
Rationale
=========
Required by gjs which is required by GNOME Shell. Beside gnoem-shell, it is also used by these apps which might be in a default Ubuntu install.
* gnome-characters
* gnome-documents
* gnome-maps
* gnome-weather
Security
========
mozjs38 is Firefox's SpiderMonkey JavaScript engine. Therefore, it gets lots of CVEs (not all Firefox CVEs affect mozjs but there are several that do).
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr38.8
Here's how things have improved in the past 6 months though. GNOME 3.22 was still using mozjs24 which is several years out of date. For GNOME 3.24, Philip Chimento the gjs developer ported to mozjs31 and then mozjs38. He currently expects to finish the port all the way to mozjs52 for GNOME 3.26 https://bugzilla.gnome.org/781429 . Although it's too early to make a definitive decision, I think there's a good chance we will ship GNOME 3.26 in Ubuntu 17.04. mozjs52 corresponds with the current Firefox ESR release.
Until now, Mozilla didn't really handle Spidermonkey releases very well, doing one release per ESR cycle. mozjs is now being built as part of Mozilla's regular builds so I think we'll be able to get them to do regular releases too.
Each ESR is supported for about one year:
https://www.mozilla.org/en-US/firefox/organizations/faq/
We no longer install the /usr/bin/js binary.
For 17.04, I am upgrading mozjs to use the last Firefox 38 ESR as its base (LP: #1683103).
Quality assurance
=================
- Please subscribe Ubuntu Desktop Bugs to this package.
https://bugs.launchpad.net/ubuntu/+source/mozjs38
Upstream build tests are being run now using dh_auto_test. Failing tests do not fail the build on arm64, ppc64el, and s390x until we figure out how to fix 3 tests on those architectures.
No autopkgtests.
Partly because of how old mozjs38 is, we build with autoconf2.13 and have several patches. Hopefully, those won't be needed with mozjs52.
Dependencies
============
check-mir reports all other binary dependencies are in main
Standards compliance
====================
3.9.8
Maintenance
===========
- Actively developed upstream
Background information
======================
Of course, there's a Long Term Support problem with this package.
Red Hat Enterprise Linux has begun working around this issue by fully upgrading the GNOME stack periodically. (RHEL 7 shipped with GNOME 3.8; 7.2 updated it to 3.14. GNOME 3.22 might come later this year.
Most other GNOME LTS distros (like Debian and SUSE) don't upgrade mozjs.
I expect we will be able to drop mozjs24 from the archives before 18.04 LTS. The developers of the packages using it are working on porting to mozjs38 now. Maybe they can port to mozjs52 before 18.04 LTS too.
Packaging is at
https://anonscm.debian.org/git/pkg-gnome/mozjs38.git or
https://git.launchpad.net/~jbicha/ubuntu/+source/mozjs38/ |
|
2017-04-19 00:23:56 |
Jeremy Bícha |
description |
Availability
============
Ubuntu is a bit ahead of Debian here but the mozjs packages are maintained in Debian. I have an ITP filed (#860396) to maintain this with the Debian pkg-gnome team since I don't think anyone else wants the burden of maintaining it.
Built for all supported architectures.
Rationale
=========
Required by gjs which is required by GNOME Shell. Beside gnoem-shell, it is also used by these apps which might be in a default Ubuntu install.
* gnome-characters
* gnome-documents
* gnome-maps
* gnome-weather
Security
========
mozjs38 is Firefox's SpiderMonkey JavaScript engine. Therefore, it gets lots of CVEs (not all Firefox CVEs affect mozjs but there are several that do).
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr38.8
Here's how things have improved in the past 6 months though. GNOME 3.22 was still using mozjs24 which is several years out of date. For GNOME 3.24, Philip Chimento the gjs developer ported to mozjs31 and then mozjs38. He currently expects to finish the port all the way to mozjs52 for GNOME 3.26 https://bugzilla.gnome.org/781429 . Although it's too early to make a definitive decision, I think there's a good chance we will ship GNOME 3.26 in Ubuntu 17.04. mozjs52 corresponds with the current Firefox ESR release.
Until now, Mozilla didn't really handle Spidermonkey releases very well, doing one release per ESR cycle. mozjs is now being built as part of Mozilla's regular builds so I think we'll be able to get them to do regular releases too.
Each ESR is supported for about one year:
https://www.mozilla.org/en-US/firefox/organizations/faq/
We no longer install the /usr/bin/js binary.
For 17.04, I am upgrading mozjs to use the last Firefox 38 ESR as its base (LP: #1683103).
Quality assurance
=================
- Please subscribe Ubuntu Desktop Bugs to this package.
https://bugs.launchpad.net/ubuntu/+source/mozjs38
Upstream build tests are being run now using dh_auto_test. Failing tests do not fail the build on arm64, ppc64el, and s390x until we figure out how to fix 3 tests on those architectures.
No autopkgtests.
Partly because of how old mozjs38 is, we build with autoconf2.13 and have several patches. Hopefully, those won't be needed with mozjs52.
Dependencies
============
check-mir reports all other binary dependencies are in main
Standards compliance
====================
3.9.8
Maintenance
===========
- Actively developed upstream
Background information
======================
Of course, there's a Long Term Support problem with this package.
Red Hat Enterprise Linux has begun working around this issue by fully upgrading the GNOME stack periodically. (RHEL 7 shipped with GNOME 3.8; 7.2 updated it to 3.14. GNOME 3.22 might come later this year.
Most other GNOME LTS distros (like Debian and SUSE) don't upgrade mozjs.
I expect we will be able to drop mozjs24 from the archives before 18.04 LTS. The developers of the packages using it are working on porting to mozjs38 now. Maybe they can port to mozjs52 before 18.04 LTS too.
Packaging is at
https://anonscm.debian.org/git/pkg-gnome/mozjs38.git or
https://git.launchpad.net/~jbicha/ubuntu/+source/mozjs38/ |
Availability
============
Ubuntu is a bit ahead of Debian here but the mozjs packages are maintained in Debian. I have an ITP filed (#860396) to maintain this with the Debian pkg-gnome team since I don't think anyone else wants the burden of maintaining it.
Built for all supported architectures.
Rationale
=========
Required by gjs which is required by GNOME Shell. Beside gnoem-shell, it is also used by these apps which might be in a default Ubuntu install.
* gnome-characters
* gnome-documents
* gnome-maps
* gnome-weather
Security
========
mozjs38 is Firefox's SpiderMonkey JavaScript engine. Therefore, it gets lots of CVEs (not all Firefox CVEs affect mozjs but there are several that do).
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr38.8
Here's how things have improved in the past 6 months though. GNOME 3.22 was still using mozjs24 which is several years out of date. For GNOME 3.24, Philip Chimento the gjs developer ported to mozjs31 and then mozjs38. He currently expects to finish the port all the way to mozjs52 for GNOME 3.26 https://bugzilla.gnome.org/781429 . Although it's too early to make a definitive decision, I think there's a good chance we will ship GNOME 3.26 in Ubuntu 17.04. mozjs52 corresponds with the current Firefox ESR release.
Until now, Mozilla didn't really handle Spidermonkey releases very well, doing one release per ESR cycle. mozjs is now being built as part of Mozilla's regular builds so I think we'll be able to get them to do regular releases too.
Each ESR is supported for about one year:
https://www.mozilla.org/en-US/firefox/organizations/faq/
We no longer install the /usr/bin/js binary.
For 17.04, I am upgrading mozjs to use the last Firefox 38 ESR as its base (LP: #1683103).
Quality assurance
=================
- Please subscribe Ubuntu Desktop Bugs to this package.
https://bugs.launchpad.net/ubuntu/+source/mozjs38
Upstream build tests are being run now using dh_auto_test. Failing tests do not fail the build on arm64, ppc64el, and s390x until we handle https://bugzilla.mozilla.org/1357593
No autopkgtests.
Partly because of how old mozjs38 is, we build with autoconf2.13 and have several patches. Hopefully, those won't be needed with mozjs52.
Dependencies
============
check-mir reports all other binary dependencies are in main
Standards compliance
====================
3.9.8
Maintenance
===========
- Actively developed upstream
Background information
======================
Of course, there's a Long Term Support problem with this package.
Red Hat Enterprise Linux has begun working around this issue by fully upgrading the GNOME stack periodically. (RHEL 7 shipped with GNOME 3.8; 7.2 updated it to 3.14. GNOME 3.22 might come later this year.
Most other GNOME LTS distros (like Debian and SUSE) don't upgrade mozjs.
I expect we will be able to drop mozjs24 from the archives before 18.04 LTS. The developers of the packages using it are working on porting to mozjs38 now. Maybe they can port to mozjs52 before 18.04 LTS too.
Packaging is at
https://anonscm.debian.org/git/pkg-gnome/mozjs38.git or
https://git.launchpad.net/~jbicha/ubuntu/+source/mozjs38/ |
|
2017-04-19 03:07:03 |
Jeremy Bícha |
description |
Availability
============
Ubuntu is a bit ahead of Debian here but the mozjs packages are maintained in Debian. I have an ITP filed (#860396) to maintain this with the Debian pkg-gnome team since I don't think anyone else wants the burden of maintaining it.
Built for all supported architectures.
Rationale
=========
Required by gjs which is required by GNOME Shell. Beside gnoem-shell, it is also used by these apps which might be in a default Ubuntu install.
* gnome-characters
* gnome-documents
* gnome-maps
* gnome-weather
Security
========
mozjs38 is Firefox's SpiderMonkey JavaScript engine. Therefore, it gets lots of CVEs (not all Firefox CVEs affect mozjs but there are several that do).
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr38.8
Here's how things have improved in the past 6 months though. GNOME 3.22 was still using mozjs24 which is several years out of date. For GNOME 3.24, Philip Chimento the gjs developer ported to mozjs31 and then mozjs38. He currently expects to finish the port all the way to mozjs52 for GNOME 3.26 https://bugzilla.gnome.org/781429 . Although it's too early to make a definitive decision, I think there's a good chance we will ship GNOME 3.26 in Ubuntu 17.04. mozjs52 corresponds with the current Firefox ESR release.
Until now, Mozilla didn't really handle Spidermonkey releases very well, doing one release per ESR cycle. mozjs is now being built as part of Mozilla's regular builds so I think we'll be able to get them to do regular releases too.
Each ESR is supported for about one year:
https://www.mozilla.org/en-US/firefox/organizations/faq/
We no longer install the /usr/bin/js binary.
For 17.04, I am upgrading mozjs to use the last Firefox 38 ESR as its base (LP: #1683103).
Quality assurance
=================
- Please subscribe Ubuntu Desktop Bugs to this package.
https://bugs.launchpad.net/ubuntu/+source/mozjs38
Upstream build tests are being run now using dh_auto_test. Failing tests do not fail the build on arm64, ppc64el, and s390x until we handle https://bugzilla.mozilla.org/1357593
No autopkgtests.
Partly because of how old mozjs38 is, we build with autoconf2.13 and have several patches. Hopefully, those won't be needed with mozjs52.
Dependencies
============
check-mir reports all other binary dependencies are in main
Standards compliance
====================
3.9.8
Maintenance
===========
- Actively developed upstream
Background information
======================
Of course, there's a Long Term Support problem with this package.
Red Hat Enterprise Linux has begun working around this issue by fully upgrading the GNOME stack periodically. (RHEL 7 shipped with GNOME 3.8; 7.2 updated it to 3.14. GNOME 3.22 might come later this year.
Most other GNOME LTS distros (like Debian and SUSE) don't upgrade mozjs.
I expect we will be able to drop mozjs24 from the archives before 18.04 LTS. The developers of the packages using it are working on porting to mozjs38 now. Maybe they can port to mozjs52 before 18.04 LTS too.
Packaging is at
https://anonscm.debian.org/git/pkg-gnome/mozjs38.git or
https://git.launchpad.net/~jbicha/ubuntu/+source/mozjs38/ |
Availability
============
Ubuntu is a bit ahead of Debian here but the mozjs packages are maintained in Debian. I have an ITP filed (#860396) to maintain this with the Debian pkg-gnome team since I don't think anyone else wants the burden of maintaining it.
Built for all supported architectures.
Rationale
=========
Required by gjs (LP: #1683989) which is required by GNOME Shell. Beside gnome-shell, gjs is also used by these apps which might be in a default Ubuntu install.
* gnome-characters
* gnome-documents
* gnome-maps
* gnome-weather
Security
========
mozjs38 is Firefox's SpiderMonkey JavaScript engine. Therefore, it gets lots of CVEs (not all Firefox CVEs affect mozjs but there are several that do).
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr38.8
Here's how things have improved in the past 6 months though. GNOME 3.22 was still using mozjs24 which is several years out of date. For GNOME 3.24, Philip Chimento (the gjs developer) ported to mozjs31 and then mozjs38. He currently expects to finish the port all the way to mozjs52 for GNOME 3.26 https://bugzilla.gnome.org/781429 . Although it's too early to make a definitive decision, I think there's a good chance we will ship GNOME 3.26 in Ubuntu 17.04. mozjs52 corresponds with the current Firefox ESR release.
Until now, Mozilla didn't really handle Spidermonkey releases very well, doing one release per ESR cycle. mozjs is now being built as part of Mozilla's regular builds so I think we'll be able to get them to do regular releases too.
Each ESR is supported for about one year:
https://www.mozilla.org/en-US/firefox/organizations/faq/
We no longer install the /usr/bin/js binary.
For 17.04, I am upgrading mozjs to use the last Firefox 38 ESR as its base (LP: #1683103).
Quality assurance
=================
- Please subscribe Ubuntu Desktop Bugs to this package.
https://bugs.launchpad.net/ubuntu/+source/mozjs38
Upstream build tests are being run now using dh_auto_test. Failing tests do not fail the build on arm64, ppc64el, and s390x until we handle https://bugzilla.mozilla.org/1357593
No autopkgtests.
Partly because of how old mozjs38 is, we build with autoconf2.13 and have several patches. Hopefully, those won't be needed with mozjs52.
Dependencies
============
check-mir reports all other binary dependencies are in main
Standards compliance
====================
3.9.8
Maintenance
===========
- Actively developed upstream
Background information
======================
Of course, there's a Long Term Support problem with this package.
Red Hat Enterprise Linux has begun working around this issue by fully upgrading the GNOME stack periodically. (RHEL 7 shipped with GNOME 3.8; 7.2 updated it to 3.14. GNOME 3.22 might come later this year.
Most other GNOME LTS distros (like Debian and SUSE) don't upgrade mozjs.
I expect we will be able to drop mozjs24 from the archives before 18.04 LTS. The developers of the packages using it are working on porting to mozjs38 now. Maybe they can port to mozjs52 before 18.04 LTS too.
Packaging is at
https://anonscm.debian.org/git/pkg-gnome/mozjs38.git or
https://git.launchpad.net/~jbicha/ubuntu/+source/mozjs38/ |
|
2017-04-20 12:32:53 |
Marc Deslauriers |
bug |
|
|
added subscriber Ubuntu Security Team |
2017-04-21 13:03:41 |
Michael Terry |
mozjs38 (Ubuntu): assignee |
|
Mathieu Trudel-Lapierre (cyphermox) |
|
2017-04-21 13:21:37 |
Mathieu Trudel-Lapierre |
mozjs38 (Ubuntu): milestone |
|
ubuntu-17.05 |
|
2017-04-21 13:24:06 |
Mathieu Trudel-Lapierre |
mozjs38 (Ubuntu): assignee |
Mathieu Trudel-Lapierre (cyphermox) |
Ubuntu Security Team (ubuntu-security) |
|
2017-04-27 21:40:51 |
Jeremy Bícha |
description |
Availability
============
Ubuntu is a bit ahead of Debian here but the mozjs packages are maintained in Debian. I have an ITP filed (#860396) to maintain this with the Debian pkg-gnome team since I don't think anyone else wants the burden of maintaining it.
Built for all supported architectures.
Rationale
=========
Required by gjs (LP: #1683989) which is required by GNOME Shell. Beside gnome-shell, gjs is also used by these apps which might be in a default Ubuntu install.
* gnome-characters
* gnome-documents
* gnome-maps
* gnome-weather
Security
========
mozjs38 is Firefox's SpiderMonkey JavaScript engine. Therefore, it gets lots of CVEs (not all Firefox CVEs affect mozjs but there are several that do).
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr38.8
Here's how things have improved in the past 6 months though. GNOME 3.22 was still using mozjs24 which is several years out of date. For GNOME 3.24, Philip Chimento (the gjs developer) ported to mozjs31 and then mozjs38. He currently expects to finish the port all the way to mozjs52 for GNOME 3.26 https://bugzilla.gnome.org/781429 . Although it's too early to make a definitive decision, I think there's a good chance we will ship GNOME 3.26 in Ubuntu 17.04. mozjs52 corresponds with the current Firefox ESR release.
Until now, Mozilla didn't really handle Spidermonkey releases very well, doing one release per ESR cycle. mozjs is now being built as part of Mozilla's regular builds so I think we'll be able to get them to do regular releases too.
Each ESR is supported for about one year:
https://www.mozilla.org/en-US/firefox/organizations/faq/
We no longer install the /usr/bin/js binary.
For 17.04, I am upgrading mozjs to use the last Firefox 38 ESR as its base (LP: #1683103).
Quality assurance
=================
- Please subscribe Ubuntu Desktop Bugs to this package.
https://bugs.launchpad.net/ubuntu/+source/mozjs38
Upstream build tests are being run now using dh_auto_test. Failing tests do not fail the build on arm64, ppc64el, and s390x until we handle https://bugzilla.mozilla.org/1357593
No autopkgtests.
Partly because of how old mozjs38 is, we build with autoconf2.13 and have several patches. Hopefully, those won't be needed with mozjs52.
Dependencies
============
check-mir reports all other binary dependencies are in main
Standards compliance
====================
3.9.8
Maintenance
===========
- Actively developed upstream
Background information
======================
Of course, there's a Long Term Support problem with this package.
Red Hat Enterprise Linux has begun working around this issue by fully upgrading the GNOME stack periodically. (RHEL 7 shipped with GNOME 3.8; 7.2 updated it to 3.14. GNOME 3.22 might come later this year.
Most other GNOME LTS distros (like Debian and SUSE) don't upgrade mozjs.
I expect we will be able to drop mozjs24 from the archives before 18.04 LTS. The developers of the packages using it are working on porting to mozjs38 now. Maybe they can port to mozjs52 before 18.04 LTS too.
Packaging is at
https://anonscm.debian.org/git/pkg-gnome/mozjs38.git or
https://git.launchpad.net/~jbicha/ubuntu/+source/mozjs38/ |
Availability
============
Ubuntu is a bit ahead of Debian here but the mozjs packages are maintained in Debian. I have an ITP filed (#860396) to maintain this with the Debian pkg-gnome team since I don't think anyone else wants the burden of maintaining it.
Built for all supported architectures.
Rationale
=========
Required by gjs (LP: #1683989) which is required by GNOME Shell. Beside gnome-shell, gjs is also used by these apps which might be in a default Ubuntu install.
* gnome-characters
* gnome-documents
* gnome-maps
* gnome-weather
Security
========
mozjs38 is Firefox's SpiderMonkey JavaScript engine. Therefore, it gets lots of CVEs (not all Firefox CVEs affect mozjs but there are several that do).
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr38.8
Here's how things have improved in the past 6 months though. GNOME 3.22 was still using mozjs24 which is several years out of date. For GNOME 3.24, Philip Chimento (the gjs developer) ported to mozjs31 and then mozjs38. He currently expects to finish the port all the way to mozjs52 for GNOME 3.26 https://bugzilla.gnome.org/781429 . Although it's too early to make a definitive decision, I think there's a good chance we will ship GNOME 3.26 in Ubuntu 17.04. mozjs52 corresponds with the current Firefox ESR release.
Until now, Mozilla didn't really handle Spidermonkey releases very well, doing one release per ESR cycle. mozjs is now being built as part of Mozilla's regular builds so I think we'll be able to get them to do regular releases too.
Each ESR is supported for about one year:
https://www.mozilla.org/en-US/firefox/organizations/faq/
We no longer install the /usr/bin/js binary.
For 17.04, I updated the package to use the last Firefox 38 ESR as its base (LP: #1683103)
Quality assurance
=================
- Please subscribe Ubuntu Desktop Bugs to this package.
https://bugs.launchpad.net/ubuntu/+source/mozjs38
Upstream build tests are being run now using dh_auto_test. Failing tests do not fail the build on arm64, ppc64el, and s390x until we handle https://bugzilla.mozilla.org/1357593
No autopkgtests.
Partly because of how old mozjs38 is, we build with autoconf2.13 and have several patches. Hopefully, those won't be needed with mozjs52.
Dependencies
============
check-mir reports all other binary dependencies are in main
Standards compliance
====================
3.9.8
Maintenance
===========
- Actively developed upstream
Background information
======================
Of course, there's a Long Term Support problem with this package.
Red Hat Enterprise Linux has begun working around this issue by fully upgrading the GNOME stack periodically. (RHEL 7 shipped with GNOME 3.8; 7.2 updated it to 3.14. GNOME 3.22 might come later this year.
Most other GNOME LTS distros (like Debian and SUSE) don't upgrade mozjs.
I expect we will be able to drop mozjs24 from the archives before 18.04 LTS. The developers of the packages using it are working on porting to mozjs38 now. Maybe they can port to mozjs52 before 18.04 LTS too.
Packaging is at
https://anonscm.debian.org/git/pkg-gnome/mozjs38.git or
https://git.launchpad.net/~jbicha/ubuntu/+source/mozjs38/ |
|
2017-05-01 20:51:52 |
Jeremy Bícha |
description |
Availability
============
Ubuntu is a bit ahead of Debian here but the mozjs packages are maintained in Debian. I have an ITP filed (#860396) to maintain this with the Debian pkg-gnome team since I don't think anyone else wants the burden of maintaining it.
Built for all supported architectures.
Rationale
=========
Required by gjs (LP: #1683989) which is required by GNOME Shell. Beside gnome-shell, gjs is also used by these apps which might be in a default Ubuntu install.
* gnome-characters
* gnome-documents
* gnome-maps
* gnome-weather
Security
========
mozjs38 is Firefox's SpiderMonkey JavaScript engine. Therefore, it gets lots of CVEs (not all Firefox CVEs affect mozjs but there are several that do).
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr38.8
Here's how things have improved in the past 6 months though. GNOME 3.22 was still using mozjs24 which is several years out of date. For GNOME 3.24, Philip Chimento (the gjs developer) ported to mozjs31 and then mozjs38. He currently expects to finish the port all the way to mozjs52 for GNOME 3.26 https://bugzilla.gnome.org/781429 . Although it's too early to make a definitive decision, I think there's a good chance we will ship GNOME 3.26 in Ubuntu 17.04. mozjs52 corresponds with the current Firefox ESR release.
Until now, Mozilla didn't really handle Spidermonkey releases very well, doing one release per ESR cycle. mozjs is now being built as part of Mozilla's regular builds so I think we'll be able to get them to do regular releases too.
Each ESR is supported for about one year:
https://www.mozilla.org/en-US/firefox/organizations/faq/
We no longer install the /usr/bin/js binary.
For 17.04, I updated the package to use the last Firefox 38 ESR as its base (LP: #1683103)
Quality assurance
=================
- Please subscribe Ubuntu Desktop Bugs to this package.
https://bugs.launchpad.net/ubuntu/+source/mozjs38
Upstream build tests are being run now using dh_auto_test. Failing tests do not fail the build on arm64, ppc64el, and s390x until we handle https://bugzilla.mozilla.org/1357593
No autopkgtests.
Partly because of how old mozjs38 is, we build with autoconf2.13 and have several patches. Hopefully, those won't be needed with mozjs52.
Dependencies
============
check-mir reports all other binary dependencies are in main
Standards compliance
====================
3.9.8
Maintenance
===========
- Actively developed upstream
Background information
======================
Of course, there's a Long Term Support problem with this package.
Red Hat Enterprise Linux has begun working around this issue by fully upgrading the GNOME stack periodically. (RHEL 7 shipped with GNOME 3.8; 7.2 updated it to 3.14. GNOME 3.22 might come later this year.
Most other GNOME LTS distros (like Debian and SUSE) don't upgrade mozjs.
I expect we will be able to drop mozjs24 from the archives before 18.04 LTS. The developers of the packages using it are working on porting to mozjs38 now. Maybe they can port to mozjs52 before 18.04 LTS too.
Packaging is at
https://anonscm.debian.org/git/pkg-gnome/mozjs38.git or
https://git.launchpad.net/~jbicha/ubuntu/+source/mozjs38/ |
Availability
============
Ubuntu is a bit ahead of Debian here but the mozjs packages are maintained in Debian. I have an ITP filed (#860396) to maintain this with the Debian pkg-gnome team since I don't think anyone else wants the burden of maintaining it.
Built for all supported architectures.
Rationale
=========
Required by gjs (LP: #1683989) which is required by GNOME Shell. Beside gnome-shell, gjs is also used by these apps which might be in a default Ubuntu install.
* gnome-characters
* gnome-documents
* gnome-maps
* gnome-sushi
* gnome-weather
Security
========
mozjs38 is Firefox's SpiderMonkey JavaScript engine. Therefore, it gets lots of CVEs (not all Firefox CVEs affect mozjs but there are several that do).
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr38.8
Here's how things have improved in the past 6 months though. GNOME 3.22 was still using mozjs24 which is several years out of date. For GNOME 3.24, Philip Chimento (the gjs developer) ported to mozjs31 and then mozjs38. He currently expects to finish the port all the way to mozjs52 for GNOME 3.26 https://bugzilla.gnome.org/781429 . Although it's too early to make a definitive decision, I think there's a good chance we will ship GNOME 3.26 in Ubuntu 17.04. mozjs52 corresponds with the current Firefox ESR release.
Until now, Mozilla didn't really handle Spidermonkey releases very well, doing one release per ESR cycle. mozjs is now being built as part of Mozilla's regular builds so I think we'll be able to get them to do regular releases too.
Each ESR is supported for about one year:
https://www.mozilla.org/en-US/firefox/organizations/faq/
We no longer install the /usr/bin/js binary.
For 17.04, I updated the package to use the last Firefox 38 ESR as its base (LP: #1683103)
Quality assurance
=================
- Please subscribe Ubuntu Desktop Bugs to this package.
https://bugs.launchpad.net/ubuntu/+source/mozjs38
Upstream build tests are being run now using dh_auto_test. Failing tests do not fail the build on arm64, ppc64el, and s390x until we handle https://bugzilla.mozilla.org/1357593
No autopkgtests.
Partly because of how old mozjs38 is, we build with autoconf2.13 and have several patches. Hopefully, those won't be needed with mozjs52.
Dependencies
============
check-mir reports all other binary dependencies are in main
Standards compliance
====================
3.9.8
Maintenance
===========
- Actively developed upstream
Background information
======================
Of course, there's a Long Term Support problem with this package.
Red Hat Enterprise Linux has begun working around this issue by fully upgrading the GNOME stack periodically. (RHEL 7 shipped with GNOME 3.8; 7.2 updated it to 3.14. GNOME 3.22 might come later this year.
Most other GNOME LTS distros (like Debian and SUSE) don't upgrade mozjs.
I expect we will be able to drop mozjs24 from the archives before 18.04 LTS. The developers of the packages using it are working on porting to mozjs38 now. Maybe they can port to mozjs52 before 18.04 LTS too.
Packaging is at
https://anonscm.debian.org/git/pkg-gnome/mozjs38.git or
https://git.launchpad.net/~jbicha/ubuntu/+source/mozjs38/ |
|
2017-05-09 09:28:19 |
Will Cooke |
bug |
|
|
added subscriber Will Cooke |
2017-05-09 14:37:10 |
Olivier Tilloy |
bug |
|
|
added subscriber Olivier Tilloy |
2017-05-11 16:03:48 |
Emily Ratliff |
mozjs38 (Ubuntu): assignee |
Ubuntu Security Team (ubuntu-security) |
|
|
2017-05-11 16:57:55 |
Jeremy Bícha |
description |
Availability
============
Ubuntu is a bit ahead of Debian here but the mozjs packages are maintained in Debian. I have an ITP filed (#860396) to maintain this with the Debian pkg-gnome team since I don't think anyone else wants the burden of maintaining it.
Built for all supported architectures.
Rationale
=========
Required by gjs (LP: #1683989) which is required by GNOME Shell. Beside gnome-shell, gjs is also used by these apps which might be in a default Ubuntu install.
* gnome-characters
* gnome-documents
* gnome-maps
* gnome-sushi
* gnome-weather
Security
========
mozjs38 is Firefox's SpiderMonkey JavaScript engine. Therefore, it gets lots of CVEs (not all Firefox CVEs affect mozjs but there are several that do).
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr38.8
Here's how things have improved in the past 6 months though. GNOME 3.22 was still using mozjs24 which is several years out of date. For GNOME 3.24, Philip Chimento (the gjs developer) ported to mozjs31 and then mozjs38. He currently expects to finish the port all the way to mozjs52 for GNOME 3.26 https://bugzilla.gnome.org/781429 . Although it's too early to make a definitive decision, I think there's a good chance we will ship GNOME 3.26 in Ubuntu 17.04. mozjs52 corresponds with the current Firefox ESR release.
Until now, Mozilla didn't really handle Spidermonkey releases very well, doing one release per ESR cycle. mozjs is now being built as part of Mozilla's regular builds so I think we'll be able to get them to do regular releases too.
Each ESR is supported for about one year:
https://www.mozilla.org/en-US/firefox/organizations/faq/
We no longer install the /usr/bin/js binary.
For 17.04, I updated the package to use the last Firefox 38 ESR as its base (LP: #1683103)
Quality assurance
=================
- Please subscribe Ubuntu Desktop Bugs to this package.
https://bugs.launchpad.net/ubuntu/+source/mozjs38
Upstream build tests are being run now using dh_auto_test. Failing tests do not fail the build on arm64, ppc64el, and s390x until we handle https://bugzilla.mozilla.org/1357593
No autopkgtests.
Partly because of how old mozjs38 is, we build with autoconf2.13 and have several patches. Hopefully, those won't be needed with mozjs52.
Dependencies
============
check-mir reports all other binary dependencies are in main
Standards compliance
====================
3.9.8
Maintenance
===========
- Actively developed upstream
Background information
======================
Of course, there's a Long Term Support problem with this package.
Red Hat Enterprise Linux has begun working around this issue by fully upgrading the GNOME stack periodically. (RHEL 7 shipped with GNOME 3.8; 7.2 updated it to 3.14. GNOME 3.22 might come later this year.
Most other GNOME LTS distros (like Debian and SUSE) don't upgrade mozjs.
I expect we will be able to drop mozjs24 from the archives before 18.04 LTS. The developers of the packages using it are working on porting to mozjs38 now. Maybe they can port to mozjs52 before 18.04 LTS too.
Packaging is at
https://anonscm.debian.org/git/pkg-gnome/mozjs38.git or
https://git.launchpad.net/~jbicha/ubuntu/+source/mozjs38/ |
Availability
============
Ubuntu is a bit ahead of Debian here but the mozjs packages are maintained in Debian. I have an ITP filed (#860396) to maintain this with the Debian pkg-gnome team since I don't think anyone else wants the burden of maintaining it.
Built for all supported architectures.
Rationale
=========
Required by gjs (LP: #1683989) which is required by GNOME Shell. Beside gnome-shell, gjs is also used by these apps which might be in a default Ubuntu install.
* gnome-characters
* gnome-documents
* gnome-maps
* gnome-sushi
* gnome-weather
Security
========
mozjs38 is Firefox's SpiderMonkey JavaScript engine. Therefore, it gets lots of CVEs (not all Firefox CVEs affect mozjs but there are several that do).
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr38.8
Here's how things have improved in the past 6 months though. GNOME 3.22 was still using mozjs24 which is several years out of date. For GNOME 3.24, Philip Chimento (the gjs developer) ported to mozjs31 and then mozjs38. He currently expects to finish the port all the way to mozjs52 for GNOME 3.26 https://bugzilla.gnome.org/781429 . Although it's too early to make a definitive decision, I think there's a good chance we will ship GNOME 3.26 in Ubuntu 17.04. mozjs52 corresponds with the current Firefox ESR release.
Until now, Mozilla didn't really handle Spidermonkey releases very well, doing one release per ESR cycle. mozjs is now being built as part of Mozilla's regular builds so I think we'll be able to get them to do regular releases too.
Each ESR is supported for about one year:
https://www.mozilla.org/en-US/firefox/organizations/faq/
We no longer install the /usr/bin/js binary.
For 17.04, I updated the package to use the last Firefox 38 ESR as its base (LP: #1683103)
Quality assurance
=================
- Ubuntu Desktop Bugs is subscribed to this package.
https://bugs.launchpad.net/ubuntu/+source/mozjs38
Upstream build tests are being run now using dh_auto_test. Failing tests do not fail the build on arm64, ppc64el, and s390x until we handle https://bugzilla.mozilla.org/1357593
No autopkgtests.
Partly because of how old mozjs38 is, we build with autoconf2.13 and have several patches. Hopefully, those won't be needed with mozjs52.
Dependencies
============
check-mir reports all other binary dependencies are in main
Standards compliance
====================
3.9.8
Maintenance
===========
- Actively developed upstream
Background information
======================
Of course, there's a Long Term Support problem with this package.
Red Hat Enterprise Linux has begun working around this issue by fully upgrading the GNOME stack periodically. (RHEL 7 shipped with GNOME 3.8; 7.2 updated it to 3.14. GNOME 3.22 might come later this year.
Most other GNOME LTS distros (like Debian and SUSE) don't upgrade mozjs.
I expect we will be able to drop mozjs24 from the archives before 18.04 LTS. The developers of the packages using it are working on porting to mozjs38 now. Maybe they can port to mozjs52 before 18.04 LTS too.
Packaging is at
https://anonscm.debian.org/git/pkg-gnome/mozjs38.git or
https://git.launchpad.net/~jbicha/ubuntu/+source/mozjs38/ |
|
2017-05-12 16:17:50 |
Mathieu Trudel-Lapierre |
mozjs38 (Ubuntu): assignee |
|
Mathieu Trudel-Lapierre (cyphermox) |
|
2017-05-17 13:34:49 |
Mathieu Trudel-Lapierre |
mozjs38 (Ubuntu): status |
New |
Fix Committed |
|
2017-06-01 15:26:07 |
Didier Roche-Tolomelli |
mozjs38 (Ubuntu): status |
Fix Committed |
Fix Released |
|