Re: On Mozilla-* updates

To: debian-security@lists.debian.org
Subject: Re: On Mozilla-* updates
From: Frank Wein <mcsmurf@mcsmurf.de>
Date: Mon, 01 Aug 2005 11:42:04 +0200
Message-id: <[🔎] dckqma$juu$1@sea.gmane.org>
In-reply-to: <20050729164338.GB1029@finlandia.infodrom.north.de>
References: <20050729164338.GB1029@finlandia.infodrom.north.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin Schulze wrote:
> Moin,
> 
> it seems that less than two months after the release of sarge it is
> not possible to support Mozilla, Thunderbird, Firefox (and probably
> Galeon) packages anymore.  (in terms of fixing security related
> problems)
> 
> Unfortunately the Mozilla Foundation does not provide dedicated and
> clean patches for security updates but only releases new versions that
> fix tons of security related problems and other stuff that is or may
> be irrelevant for security updates.  As a result, it is extremely
> difficult to get security patches extracted and backported.  This is
> an utter disaster for security teams and distributions that try to
> support their releases.
[...]
> For these packages, help and/or advice is appreciated.

So i don't know if the package maintainers already know this tool
(especially in regard to
http://kitenet.net/~joey/blog/entry/bug_hiding_systems-2005-07-30-06-25.html)
called Bonsai, it can be very useful to extract single patches more or
less easily ;) (even before the the new version has been released).
Bonsai keeps a database with all checkins to the CVS repository of
cvs.mozilla.org.
As a example lets take the the Bug # from that blog post, Bug 294795.
Now lets construct a query and see what we can get. First open
http://bonsai.mozilla.org/cvsqueryform.cgi, now in the Branch field you
have to enter AVIARY_1_0_1_20050124_BRANCH (that's the
Firefox/Thunderbird 1.0.x Branch) and on the bottom of the page you have
to enter "[X] Between 2005-05-11 00:00 and 2005-07-19 23:00". Those two
are the rough dates when FF 1.0.4 and FF 1.0.6 were released. So run the
query and you'll get a list of checkins on that branch between the two
releases, now you search on this page for the Bug # (i would say the bug
# is always noted in the checkin comment except when someone forgets it,
but that happens almost never), so 294795. This will point you at the
checkin with the comment "Fixing bug 294795. Don't leave references from
cloned member functions to the scope where xpconnect creates the
functions (safe context). r=bzbarsky[at]mit.edu,
sr=brendan[at]mozilla.org, a=dveditz[at]cruzio.com". Now you could
either manually merge this checkin by clicking on the version in the 4th
column which will display you the diff or check out the new version from
the CVS mirror (cvs-mirror.mozilla.org) for example by doing "cvs -j1.11
- -j1.11.44 -r AVIARY_1_0_1_20050124_BRANCH
mozilla/js/src/xpconnect/src/XPCDispObject.cpp". You can get the version
numbers needed by clicking on the version in the 4th column, you'll see
the versions then noted at the top.

HTH
Frank
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFC7e5raT2V74kAr9URAiJLAKCJJZ7VBFq4BpkS+SZQnleA9g31lwCdF7lM
jec0GUzBiikcv2UaScDK4us=
=e/MW
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: On Mozilla-* updates
  - From: Alexander Sack <asac@debian.org>

Prev by Date: Re: On Mozilla-* updates
Next by Date: Re: On Mozilla-* updates
Previous by thread: Re: On Mozilla-* updates
Next by thread: Re: On Mozilla-* updates
Index(es):
- Date
- Thread