Re: Security update of firefox-esr for Wheezy

[Guido Günther]

Hi Emilio,
On Sat, Sep 03, 2016 at 12:12:55PM +0200, Emilio Pozuelo Monfort wrote:
> On 02/09/16 08:39, Guido Günther wrote:
> > On Fri, Sep 02, 2016 at 01:26:05AM +0200, Emilio Pozuelo Monfort wrote:
> >> On 08/08/16 10:20, Raphael Hertzog wrote:
> >>> On Mon, 08 Aug 2016, Emilio Pozuelo Monfort wrote:
> > Shall we mark gcc-4.8 as unsupported in wheezy, explaining that its only
> > purpose is to enable build of other packages?
> 
>  That would make sense.
> 
>  I'll see if I can take a look at this.
> >>>
> >>> The problematic part is likely libstdc++. I would expect the new gcc to
> >>> assume that you have the corresponding libstdc++.
> >>>
> >>> Mike once told that Firefox has special code to avoid the increased
> >>> dependency but that might not be the case of other packages that we might
> >>> want to build with a newer gcc.
> >>
> >> I had a look at this. Matthias pointed me to gcc-mozilla from Ubuntu, 
> >> which is
> >> GCC 4.8.4 shipped in one package. I built that for Wheezy, then built
> >> firefox_49.0~b1-1 using that. I had to disable PIE, but other than that it 
> >> built
> >> fine and seems to work well. So I think we could go this route.
> >>
> >> For GCC at least we need to drop the gfdl bits, and we may want to update 
> >> to
> >> 4.8.5, but in general it seems to work well. I was hitting a build failure 
> >> that
> >> I could workaround by using an interactive shell. No idea if it's a 
> >> pbuilder
> >> problem or what. That would need a little investigation.
> >>
> >> For Firefox, I didn't look much at the PIE issue. I just saw that it fails 
> >> on a
> >> simple configure test when enabled, at the linker stage. With pie disabled,
> >> everything went well.
> > 
> > That sounds great. Did you put the packages somewhere? I don't think we'll
> > run into any extra issues with Icedove but it might be worth checking
> > this out before the current ESR versions go EOL.
> 
> Packages are at https://people.debian.org/~pochu/lts/gcc/
> 
> gcc-mozilla is the one from [1], but putting it here for convenience (you 
> can't
> dget from launchpad). Let me know if it works for you or if you have any 
> issues.

I checked with current icedove and it builds a well when disabling
PIE. So with your proposed changed (disabling gfdl, updating to the
latest 4.8 version) we should be good. Are you going to look into this?

Cheers,
 -- Guido

Re: Security update of firefox-esr for Wheezy

[Guido Günther]

On Fri, Sep 02, 2016 at 01:26:05AM +0200, Emilio Pozuelo Monfort wrote:
> On 08/08/16 10:20, Raphael Hertzog wrote:
> > On Mon, 08 Aug 2016, Emilio Pozuelo Monfort wrote:
> >>> Shall we mark gcc-4.8 as unsupported in wheezy, explaining that its only
> >>> purpose is to enable build of other packages?
> >>
> >> That would make sense.
> >>
> >> I'll see if I can take a look at this.
> > 
> > The problematic part is likely libstdc++. I would expect the new gcc to
> > assume that you have the corresponding libstdc++.
> > 
> > Mike once told that Firefox has special code to avoid the increased
> > dependency but that might not be the case of other packages that we might
> > want to build with a newer gcc.
> 
> I had a look at this. Matthias pointed me to gcc-mozilla from Ubuntu, which is
> GCC 4.8.4 shipped in one package. I built that for Wheezy, then built
> firefox_49.0~b1-1 using that. I had to disable PIE, but other than that it 
> built
> fine and seems to work well. So I think we could go this route.
> 
> For GCC at least we need to drop the gfdl bits, and we may want to update to
> 4.8.5, but in general it seems to work well. I was hitting a build failure 
> that
> I could workaround by using an interactive shell. No idea if it's a pbuilder
> problem or what. That would need a little investigation.
> 
> For Firefox, I didn't look much at the PIE issue. I just saw that it fails on 
> a
> simple configure test when enabled, at the linker stage. With pie disabled,
> everything went well.

That sounds great. Did you put the packages somewhere? I don't think we'll
run into any extra issues with Icedove but it might be worth checking
this out before the current ESR versions go EOL.

CHeers,
 -- Guido

Re: Security update of firefox-esr for Wheezy

[Emilio Pozuelo Monfort]

On 08/08/16 10:20, Raphael Hertzog wrote:
> On Mon, 08 Aug 2016, Emilio Pozuelo Monfort wrote:
>>> Shall we mark gcc-4.8 as unsupported in wheezy, explaining that its only
>>> purpose is to enable build of other packages?
>>
>> That would make sense.
>>
>> I'll see if I can take a look at this.
> 
> The problematic part is likely libstdc++. I would expect the new gcc to
> assume that you have the corresponding libstdc++.
> 
> Mike once told that Firefox has special code to avoid the increased
> dependency but that might not be the case of other packages that we might
> want to build with a newer gcc.

I had a look at this. Matthias pointed me to gcc-mozilla from Ubuntu, which is
GCC 4.8.4 shipped in one package. I built that for Wheezy, then built
firefox_49.0~b1-1 using that. I had to disable PIE, but other than that it built
fine and seems to work well. So I think we could go this route.

For GCC at least we need to drop the gfdl bits, and we may want to update to
4.8.5, but in general it seems to work well. I was hitting a build failure that
I could workaround by using an interactive shell. No idea if it's a pbuilder
problem or what. That would need a little investigation.

For Firefox, I didn't look much at the PIE issue. I just saw that it fails on a
simple configure test when enabled, at the linker stage. With pie disabled,
everything went well.

Cheers,
Emilio

Re: Security update of firefox-esr for Wheezy

[Raphael Hertzog]

On Mon, 08 Aug 2016, Emilio Pozuelo Monfort wrote:
> > Shall we mark gcc-4.8 as unsupported in wheezy, explaining that its only
> > purpose is to enable build of other packages?
> 
> That would make sense.
> 
> I'll see if I can take a look at this.

The problematic part is likely libstdc++. I would expect the new gcc to
assume that you have the corresponding libstdc++.

Mike once told that Firefox has special code to avoid the increased
dependency but that might not be the case of other packages that we might
want to build with a newer gcc.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Re: Security update of firefox-esr for Wheezy

[Emilio Pozuelo Monfort]

On 07/08/16 22:17, Raphael Hertzog wrote:
> On Sun, 07 Aug 2016, Guido Günther wrote:
>> I too think I would be good to support Firefox & Icedove until Wheezy
>> goes EOL. Wd could backport gcc 4.8 from Jessie with only C/C++ enabled.
> 
> And obviously, we make no change to gcc-defaults.
> 
> Shall we mark gcc-4.8 as unsupported in wheezy, explaining that its only
> purpose is to enable build of other packages?

That would make sense.

I'll see if I can take a look at this.

Cheers,
Emilio

Re: Security update of firefox-esr for Wheezy

[Ola Lundqvist]

Hi

Yes I think it is a good idea to mark it as unsupported as you describe.

// Ola

On Sun, Aug 7, 2016 at 10:17 PM, Raphael Hertzog  wrote:

> On Sun, 07 Aug 2016, Guido Günther wrote:
> > I too think I would be good to support Firefox & Icedove until Wheezy
> > goes EOL. Wd could backport gcc 4.8 from Jessie with only C/C++ enabled.
>
> And obviously, we make no change to gcc-defaults.
>
> Shall we mark gcc-4.8 as unsupported in wheezy, explaining that its only
> purpose is to enable build of other packages?
>
> Cheers,
> --
> Raphaël Hertzog ◈ Debian Developer
>
> Support Debian LTS: http://www.freexian.com/services/debian-lts.html
> Learn to master Debian: http://debian-handbook.info/get/
>
>


-- 
 --- Inguza Technology AB --- MSc in Information Technology 
/  o...@inguza.comFolkebogatan 26\
|  o...@debian.org   654 68 KARLSTAD|
|  http://inguza.com/Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---

Re: Security update of firefox-esr for Wheezy

[Guido Günther]

On Fri, Aug 05, 2016 at 11:52:29PM +0200, Emilio Pozuelo Monfort wrote:
> On 04/08/16 23:02, Mike Hommey wrote:
> > On Thu, Aug 04, 2016 at 07:50:28PM +0200, Guido Günther wrote:
> >> Hi,
> >> On Thu, Aug 04, 2016 at 06:32:14PM +0900, Mike Hommey wrote:
> >>> On Thu, Aug 04, 2016 at 11:04:47AM +0200, Markus Koschany wrote:
>  Hello Mike,
> 
>  Thank you for preparing the security update of firefox-esr. I have just
>  sent a security announcement for your update in Wheezy to the
>  debian-lts-announce mailing list. If you want to take care of this next
>  time, please follow our guidelines which we have outlined at [1]. If
>  this is a burden for you, no problem, we will do our best and take care
>  of the rest. In this case we would like to ask you to send a short
>  reminder to debian-lts, so that we can prepare the announcement in a
>  timely manner.
> >>>
> >>> Heh, I hadn't realized that wasn't handled by standard DSAs, sorry about
> >>> that. That these updates go through the same security-master doesn't
> >>> help making it obvious they are different.
> >>>
> >>> Anyways, I'd rather not have more work to do, so if can send
> >>> announcements, that works for me. Or you can deal with the backport
> >>> from back to back.
> >>>
> >>> Please note that the next ESR bump (52) will require GCC 4.8, which is
> >>> not in wheezy, so I won't be building ESR45 for wheezy past 45.8,
> >>> presumably some time in April next year.
> >>
> >> The same is true for icedove. Since this is way before the end of Wheezy
> >> LTS (31st May 2018) I wonder if we should EOL Firefox/Icedove then or
> >> try to support this for longer?
> >>
> >> I have no idea what features of gcc-4.8 would be required, Mike do you
> >> know?
> > 
> > Some C++11 features it supports that GCC 4.7 doesn't.
> 
> We may want / need to backport GCC 4.8 to Wheezy then. Chromium is already
> unsupported, so it's either that, or leave Wheezy with no supported browsers. 
> We
> probably want the former.

I too think I would be good to support Firefox & Icedove until Wheezy
goes EOL. Wd could backport gcc 4.8 from Jessie with only C/C++ enabled.

Cheers,
 -- Guido

Re: Security update of firefox-esr for Wheezy

[Emilio Pozuelo Monfort]

On 04/08/16 23:02, Mike Hommey wrote:
> On Thu, Aug 04, 2016 at 07:50:28PM +0200, Guido Günther wrote:
>> Hi,
>> On Thu, Aug 04, 2016 at 06:32:14PM +0900, Mike Hommey wrote:
>>> On Thu, Aug 04, 2016 at 11:04:47AM +0200, Markus Koschany wrote:
 Hello Mike,

 Thank you for preparing the security update of firefox-esr. I have just
 sent a security announcement for your update in Wheezy to the
 debian-lts-announce mailing list. If you want to take care of this next
 time, please follow our guidelines which we have outlined at [1]. If
 this is a burden for you, no problem, we will do our best and take care
 of the rest. In this case we would like to ask you to send a short
 reminder to debian-lts, so that we can prepare the announcement in a
 timely manner.
>>>
>>> Heh, I hadn't realized that wasn't handled by standard DSAs, sorry about
>>> that. That these updates go through the same security-master doesn't
>>> help making it obvious they are different.
>>>
>>> Anyways, I'd rather not have more work to do, so if can send
>>> announcements, that works for me. Or you can deal with the backport
>>> from back to back.
>>>
>>> Please note that the next ESR bump (52) will require GCC 4.8, which is
>>> not in wheezy, so I won't be building ESR45 for wheezy past 45.8,
>>> presumably some time in April next year.
>>
>> The same is true for icedove. Since this is way before the end of Wheezy
>> LTS (31st May 2018) I wonder if we should EOL Firefox/Icedove then or
>> try to support this for longer?
>>
>> I have no idea what features of gcc-4.8 would be required, Mike do you
>> know?
> 
> Some C++11 features it supports that GCC 4.7 doesn't.

We may want / need to backport GCC 4.8 to Wheezy then. Chromium is already
unsupported, so it's either that, or leave Wheezy with no supported browsers. We
probably want the former.

Cheers,
Emilio

Re: Security update of firefox-esr for Wheezy

[Mike Hommey]

On Thu, Aug 04, 2016 at 11:04:47AM +0200, Markus Koschany wrote:
> Hello Mike,
> 
> Thank you for preparing the security update of firefox-esr. I have just
> sent a security announcement for your update in Wheezy to the
> debian-lts-announce mailing list. If you want to take care of this next
> time, please follow our guidelines which we have outlined at [1]. If
> this is a burden for you, no problem, we will do our best and take care
> of the rest. In this case we would like to ask you to send a short
> reminder to debian-lts, so that we can prepare the announcement in a
> timely manner.

Heh, I hadn't realized that wasn't handled by standard DSAs, sorry about
that. That these updates go through the same security-master doesn't
help making it obvious they are different.

Anyways, I'd rather not have more work to do, so if can send
announcements, that works for me. Or you can deal with the backport
from back to back.

Please note that the next ESR bump (52) will require GCC 4.8, which is
not in wheezy, so I won't be building ESR45 for wheezy past 45.8,
presumably some time in April next year.

Cheers,

Mike