PSA: js_options is no more

2020-10-08 Thread Mike Hommey 
Hi,

If you've written patches for configure in the past few years to add
some flag to use in mozconfig with `ac_add_options`, you may have seen
that while in most cases, you may do that with `option()`, in some cases,
for weird reasons, you had to use `js_option()`. That's finally not the
case anymore.

If you have patches pending that are using `js_option()`, they will
fail. You just need to replace it with `option()`.

The downside, though, is that these patches may cause subtle problems if
they are uplifted, so if you can avoid uplifting patches adding
`option()` for a few cycles, that would be better (though a quick look
at the history of the beta branch suggests no such patch has ever been
uplifted so far).

The underlying reason why it is finally this way is that when running
configure for Firefox, we now don't run configure again for Spidermonkey. At
least not for the python parts of configure. Hopefully, this makes
configure a little faster. The autoconf parts, however, are still executed.

For the curious, the bugs involved are #1669633 and #1520395.

Cheers,

Mike
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

hg.mozilla.org SSL Certificate Renewal

2020-10-08 Thread Connor Sheehan 
tldr; run `mach vcs-setup` to update the pinned SSL certificate in your hgrc 
files.

hg.mozilla.org’s x509 server certificate (AKA an “SSL certificate”) will be 
rotated on Monday, October 12th. Bug 1670031 tracks this change.

You may have the certificate’s fingerprint pinned in your hgrc files. Automated 
jobs may pin the fingerprint as well. If you have the fingerprint pinned, you 
will need to take action otherwise Mercurial will refuse the connection to 
hg.mozilla.org once the certificate is swapped.

The easiest way to ensure your pinned fingerprint is up-to-date is to run `mach 
vcs-setup` from a Mercurial checkout (it can be from an old revision). Both the 
old and new fingerprints will be pinned and the transition will “just work.” 
Once the new fingerprint is enabled on the server, run mach vcs-setup again to 
remove the old fingerprint.

Fingerprints and details of the new certificate (including hgrc config snippets 
you can copy) are located at Bug 1670031. From a certificate level, this 
transition is pretty boring: just a standard certificate renewal from the same 
CA.

The Matrix channel for this operational change will be #vcs. Fallout in Firefox 
CI should be discussed in #ci. Please track any bugs related to this change 
against Bug 1668017.
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Please run mach bootstrap; NodeJS/NPM security fixes landed

2020-10-08 Thread Kartikaya Gupta 
Piling on with tangentially-related info: bug 1668921 bumps the
minimum cbindgen version requirement and is on autoland now. So if you
want until that merges you'll only need to rebootstrap once instead of
twice (assuming you use bootstrap to get your cbindgen installed).

On Thu, Oct 8, 2020 at 12:35 PM Mark Banner  wrote:
>
>   * Upgrades for NodeJS from 10.21.0 to 10.22.1 and for NPM from 6.14.4
> to 6.14.6 have merged to mozilla-central.
>   * Everyone is encouraged to run `mach bootstrap` to upgrade the
> toolchain on their machine.
>   * The main security fix that we’re concerned with is in node, so I’ve
> also set 10.22.1 as the minimum acceptable node version that mach
> commands will allow.
>
> This means that running mach `mach eslint —setup` will abort until you
> upgrade your node (i.e. you run `mach bootstrap`, in most cases).
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=1666172 has more details.
>
> Mark
>
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Please run mach bootstrap; NodeJS/NPM security fixes landed

2020-10-08 Thread Mark Banner 
  * Upgrades for NodeJS from 10.21.0 to 10.22.1 and for NPM from 6.14.4
to 6.14.6 have merged to mozilla-central.
  * Everyone is encouraged to run `mach bootstrap` to upgrade the
toolchain on their machine.
  * The main security fix that we’re concerned with is in node, so I’ve
also set 10.22.1 as the minimum acceptable node version that mach
commands will allow.

This means that running mach `mach eslint —setup` will abort until you
upgrade your node (i.e. you run `mach bootstrap`, in most cases).

https://bugzilla.mozilla.org/show_bug.cgi?id=1666172 has more details.

Mark

___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Removing preference for 'treating data: URIs as same origin' in FF83

2020-10-08 Thread Christoph Kerschbaumer 
Hey Everyone,

within Firefox 57, we started to treat data: URIs as unique opaque origins; in 
other words we stopped inheriting the security context for data: URIs. For more 
information see the ‘intent to ship’ from August 2017: 
https://lists.mozilla.org/pipermail/dev-platform/2017-August/019376.html 


Now, three years later it’s time to also remove the pref from our codebase 
entirely, we will do that within 
https://bugzilla.mozilla.org/show_bug.cgi?id=1552168 
 which will land within 
this cycle, Firefox 83.

Thank you,
  Christoph






___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform