** Description changed: Impact ------ SpiderMonkey (or mozjs) is Firefox's JavaScript engine. It is not well-supported by Mozilla. Generally, someone at Mozilla makes only one tarball release per Firefox ESR. For 38, this was done around 38.2. Fedora and Arch Linux build their mozjs38 using the final Firefox ESR tarball (38.8) which has 7 more months of high-priority bugfixes included. https://developer.mozilla.org/en- US/docs/Mozilla/Projects/SpiderMonkey/Releases/38 A quick review of the git log showed that there are multiple high- priority security fixes in this update. Test Case --------- Install the update. Reboot Log into GNOME Shell. Does it seem to work ok? Regression Potential -------------------- The gjs maintainer has so far only tested with the original release tarball, but the risk is mitigated by being used by Fedora. Mozilla does tend to be cautious about updating its ESR branch. Other Info ---------- - The Firefox tarball is very slow and difficult to work with since it has so many files. It was too big for the new debian/copyright Files-Excluded repack ( https://bugs.debian.org/855464 ). I used the older debian/repack scripts to cut the extra files. + The Firefox tarball is very slow and difficult to work with since it has so many files. It was too big for the new debian/copyright Files-Excluded repack ( https://bugs.debian.org/855464 ). I used debian/repack scripts instead to cut the extra files. With the repack, I lost the INSTALL, LICENSE and README files which are not included in the Firefox tarball since I didn't know how to use the repack script to inject a copy of those files. It did not seem important enough to use a quilt patch to restore them since they aren't shipped in the resulting binary packages. js/src/ctypes/libffi/doc/libffi.info and js/src/jit-test/tests/sunspider - /check-string-unpack-code.js were removed because - debian/README.source says to remove them. + /check-string-unpack-code.js were removed because debian/README.source + says to remove them. (Both files look like generated code.) Here's a visual diff of the new tarball: - https://git.launchpad.net/~jbicha/ubuntu/+source/mozjs38/commit/?id=c324e07 + https://git.launchpad.net/~jbicha/ubuntu/+source/mozjs38/commit/?id=2756358 And here's a git log (the original mozjs38 tarball is from mid-September 2015) https://github.com/mozilla/gecko-dev/commits/esr38/js/src mozjs38 is only packaged in Ubuntu 17.04 "zesty" More Justification ------------------ https://www.mozilla.org/en-US/firefox/38.3.0/releasenotes/. And change the version number from 38.3.0, 38.4.0 up to 38.8.0. The only change not "Various security fixes" is 38.5.0's https://hg.mozilla.org/releases/mozilla-esr38/rev/b8244a3f55e1 which does not affect any files included in our tarball. The Release Notes link to https://www.mozilla.org/en-US/security/known- vulnerabilities/firefox-esr/#firefoxesr38.8 Many of those vulnerabilities don't affect the SpiderMonkey JavaScript engine though. Testing Done ------------ I have tested that this package builds and that GNOME Shell runs with the built package. Sponsoring ---------- I pushed my work to a temporary git repo because I think it should be fairly easy to sponsor from there: https://git.launchpad.net/~jbicha/ubuntu/+source/mozjs38/ - I also enabled the build tests (with 2 patches to make them work) and made them fatal on some architectures. - If you decide you don't want that in this release, just skip the final commit. + There is a mozjs38 SRU accepted April 18 that enables build tests. It + would be nice if that could either be released into -updates first or + that update rolled into this update.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1683103 Title: Use final Firefox 38 ESR tarball to build mozjs38 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mozjs38/+bug/1683103/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs