/srv/irclogs.ubuntu.com/2009/01/05/#ubuntu-mozillateam.txt

asachttp://www.mozillazine.org/talkback.html?article=2613500:01
asacwtf ... http://paste.ubuntu.com/99899/00:03
fta"stray ‘\305’ in program" ?00:04
ftayou edited that?00:04
asacno00:05
asaci hope its not hardware00:05
asacscary ... seemed to work on second attempt :(00:06
asacmy memory is dying ... sigh00:06
asaci really feel bad now :/00:07
ftawhat do you have in dist/include/nspr/prio.h:301 ?00:08
asacnothing unusual00:09
asachow can i make vi show all whitespace codes?00:09
asac/home/asac/mozilla/security/1.8.1/mozilla/nsprpub/pr/include/prio.h: ASCII C program text00:09
asactypedef enum PRDescType00:09
asac{ PR_DESC_FILE = 1, PR_DESC_SOCKET_TCP = 2, PR_DESC_SOCKET_UDP = 3, PR_DESC_LAYERED = 4, PR_DESC_PIPE = 500:09
asac} PRDescType;00:09
asacPR_DESC_SOCKET_TCP = 2 is in that line00:09
ftacat -tven prio.h | grep 30100:10
asacso its really memory :(00:10
asaccat -tven /home/asac/mozilla/security/1.8.1/mozilla/nsprpub/pr/include/prio.h | grep 301 301    PR_DESC_SOCKET_TCP = 2,$00:10
asachttp://paste.ubuntu.com/99903/00:10
ftanada00:11
asaci hope its a memory corruption in gcc or some other bug there00:11
asacand not my poor system :/00:11
ftahttps://edge.launchpad.net/+builds/berkelium00:11
ftaboom00:11
fta*** TEST-UNEXPECTED-FAIL | ../../../_tests/xpcshell-simple/test_uriloader_exthandler/unit/test_handlerService.js | true == false00:12
asacseems still active ;)00:12
asacyeah00:12
asacprobably your issue again?00:12
asacwasnt that the one with the setpref for external handler?00:12
ftai don't remember00:13
ftaJS frame :: ../../../_tests/xpcshell-simple/test_uriloader_exthandler/unit/test_handlerService.js :: run_test :: line 15500:14
ftagrr, i should not tar a bunch of symlinks to ../../../../blabla :(00:15
asacyeah i think thats it00:15
asac1.8.1 browser build working :)00:16
asacfinally00:16
asaclets see if make check works00:16
asachangs in netwerk ... of coures00:17
asachttp://paste.ubuntu.com/99909/00:17
ftahttps://bugzilla.mozilla.org/show_bug.cgi?id=444440#c3100:18
ubottuMozilla bug 444440 in File Handling "Unexpected application launched when $HOME/.mailcap contains an entry for the handled mime type" [Normal,Assigned]00:18
asacyeah still broken00:20
asac@time00:23
ubottuCurrent time in Etc/UTC: January 05 2009, 00:25:57 - Next meeting: EMEA Membership in 19 hours 34 minutes00:23
ftaMembership?00:25
[reed]asac / fta: patches accepted!02:24
asacon mailcap?02:25
[reed]asac: on anything02:59
[reed]:)02:59
asacmozilla bug 46127703:18
asac^^03:18
ubottuMozilla bug 461277 in Embedding: GTK Widget "use G_TYPE instead of deprecated GTK_ macros in gtkmozembed.h" [Normal,New] http://bugzilla.mozilla.org/show_bug.cgi?id=46127703:18
asacnot sure if superreview means that its ready03:18
asacthen approval would make sense03:19
[reed]you don't need approval to land on mozilla-central03:25
[reed]sr is enough... bsmedberg owns embedding03:25
crimsunasac: heads up: jaunty's flashplugin-nonfree for amd64 users causes the same nondeterministic inaudible audio observed in hardy. this is due to ia32-libs and lib32asound2-plugins conflicting.05:28
crimsunso since ia32-libs is a dependency of nspluginwrapper on amd64, lib32asound2-plugins cannot be installed on Ubuntu, so pulseaudio and all audio apps using it need to be restarted after Flash attempts to grab the sound device.05:29
crimsunto resolve this issue, two things need to be done: 1) pulseaudio needs to build 32-bit libs for amd64 (similar to what alsa-lib and alsa-plugins do) so that lib32asound2-plugins can be built correctly, and afterward, 2) ia32-libs needs to be updated not to ship libasound2-plugins and instead depend on lib32asound2-plugins.05:32
whitefta asac: the thunderbird tarballs I get with "get-orig-source" have an empty mozilla/mozilla dir, is that intended?07:42
whiteasac: i am also happy to start testing, in case you got the packages ;)07:48
ftawhite, obviously not08:52
whitefta: well, i was just wondering, whether you hit the same problem ;)08:53
asaccrimsun: thanks for the heads up09:55
asacwhite: finally preparing the tarballs now10:41
asacxul + sm + tbird + ffox (for 1.8.0 branch)10:42
whiteasac: ok, if you don't mind I'll start with icedove :)10:42
whiteasac: maybe Moritz will take other ice* as well10:42
asacwhite: ok. let me prepare the tbird tarball next then (currently tarring up sm)10:43
whitenice, newer nss fails to build on i386 with: error: implicit declaration of function ‘putenv’10:43
asacwhite: what is "newer"?10:43
whiteasac: 3.12.1-110:44
asacwe are at 3.12.2~rc110:44
whiteasac: the tarball i was getting with get-orig-source has an empty mozilla/mozilla dir btw :/10:44
whiteasac: knewer as in debian new ;)10:45
asachehe10:45
asacwhite: which package? icedove 1.5?10:45
whites/knewer/newer/10:45
whiteasac: i am still working on an icedove for experimental10:45
asacah10:46
asacwhite: you need mozilla-devscripts10:46
asacinstalled10:46
asacto produce orig10:46
whitei have it10:46
asacinteresting10:46
whiteit downloads a nice thunderbird orig.tar.gz10:46
asacah ... so the icedovisation fails10:46
asachmm10:46
whitefor testing here, i used another tarball with all the stuff self packed and then I get the build problem, where PK11_GetAllSlotsForCert is not declared10:47
asacwhite: take a look at the latest tbird 3 packaging branch ... i think fta moved logic from m-devscripts to the packages ... maybe thats the reason10:47
asacwhite: there is a bug in nss version checking code in debian/rules10:49
asaca)USE_SYSTEM_NSS := $(shell pkg-config --exists 'nspr >= 3.12'; a=$$?; if test $$a != 1; then echo 1; fi)10:49
asac-> that should be nss >= 3.12.1 or something i guess10:49
asacat least it should fall back to "in-source nss" if the version is not high enough10:50
asacif 3.12 is too low for a lower bound we should fix it10:50
whitelet me check10:50
whiteasac: 3.12.0 is too low as it doesn't declare PK11_GetAllSlotsForCert10:51
whiteso we need 3.12.110:51
asacso debian didnt care to fix nss on i386?10:54
asacstrange10:54
asac3.12.1-1: alpha amd64 arm armel hppa ia64 kfreebsd-amd64 m68k mips mipsel powerpc s390 sparc10:54
asac3.12.0-5: hurd-i386 i386 kfreebsd-i38610:54
whitei've emailed Mike about it10:55
whitethere are different ways to fix it i guess10:55
asaci think we need a serious bug ;)10:55
asacnothing filed as it seems10:55
whiteput the declaration of putenv everywhere, set defines or maybe compile without -Werror10:55
whiteall are ugly ways :)10:55
whiteI'll file one10:55
asacpackage 3.12.2~rc1 ;)10:55
asacthats what is currently used for ffox 3 anyway10:56
wikzasac: Hi10:56
whiteasac: do you mind if I try to build it for experimental and maybe upload later today?10:56
whiteasac: newer nss that is10:57
asacwhite: give it a try. you cannot use ubuntu package unfortunately. we have reverted the soname patch from debian ... mike would hate us if we upload that to debian ;)10:57
asacwhite: yeah. just try the new tarball with debian packaging10:57
whiteok, I'll give it a try10:57
asacwhite: take our orig i would suggest10:58
asacseems like upstream doesnt release .1, .2 etc.10:58
whitewill do10:58
wikzasac: The tar in tar trick you told me yesterday. Someone commented on why I had done it.11:02
asacwikz: your package doesnt ship debian/ dir in diff.gz11:04
asacthats the current major issue ;)11:04
asacyou punched that in orig as it seems (i didnt look, but since its not in diff.gz and you say it builds I guess it is)11:04
wikzyeah11:04
wikzso where did I goof it up?11:04
asacwikz: you tarred up everything11:05
wikzasac: true11:05
asacwikz: the orig.tar.gz must only include tar.bz211:05
wikzok ok11:05
wikzso just create a tar.gz archive with .bz2 in it11:05
asacyes11:05
wikzI included the entire spicebird-0.711:06
asactar cvzf spicebird_0.7.orig.tar.gz spicebird-0.7/*.tar.bz211:06
asacfor instance11:06
wikzasac: so how come you guys have a different .orig.tar.gz which doesn't include any bz2 from mozilla. do you repack it11:06
asacwikz: don't understand the question ;)11:07
asacif you ask why we pack tarball on our own: answer is simply that mozilal doesnt release frequently enough. also we have to strip no free/binary stuff from it11:08
wikzasac: that explains it11:08
asacwikz: you should remove binary only stuff too11:08
asaclook at the "remove.binonly.sh" in mozilla-devscripts11:09
wikzasac: ok will do that11:09
asacwhite: http://people.ubuntu.com/~asac/mozilla-security/1.8.1.19/icedove-1.5.0.13+1.5.0.15b+prepatch080614i.tar.bz211:10
asacits based on http://people.ubuntu.com/~asac/mozilla-security/1.8.1.19/moz_1.8.0.15prepatches080614i.tar.gz11:10
wikzasac: also I am putting all my files in /usr/lib like fta did but I think debian says that images and resources should be in usr/share. should I change the .install files?11:11
asacwho is debian?11:12
asace.g. who speaks for them?11:12
asacif its "just" lintian feel free to ignore that complained11:13
wikzasac: yes lintian does for my binary packages11:14
asacthats not a problem imo ... some might disagree, but well :)11:16
wikzasac: ok , so if I just pack tarball like you guys do can I get rid of the watch file?11:28
wikzand remove all the binary stuff. we don't have any non free stuff11:29
asacwikz: you have a bunch of binary stuff in your tarball i guess11:31
wikzloads of them :)11:32
asacthen yes. you just need to remove binary only stuff11:33
asac(binary stuff if sources are there is ok - though not encouraged)11:33
wikzhow about if I will ask upstream to maintain a debian only source tarball so I can use a watch file too :)11:35
whiteasac: do you guys have a description base for the mozilla advisories somewhere?11:35
whiteasac: or did Moritz always search by himself through the mozilla pages?11:35
asacwikz: would work11:37
asacwhite: usually i put that info in the changelog11:37
asacin previous times i sent the advisory infos to the list and mike ... but since nobody cared for quite some time i stopped dong that11:38
asacwhite: http://www.ubuntu.com/usn/usn-690-311:38
whiteasac: yeah, Moritz complained during the last sec meeting that too few of us did any work on mozilla, thus I'm trying to take at least icedove in this round :)11:39
asacthose are the issues fixed in the 1.8.0 patchset11:39
asacthere are no "mailnews" only advisories this time11:39
asacbut you should also add the MFSAs ... look at the previous changelogs11:39
asacto get the mapping look at the icedove changelog in unstable11:39
whitewill do, thanks for the pointer11:39
asacthat should be a superset of what is fixed in 1.8.011:39
asace.g. take icedove 2.0.0.19 changelog ... filter it by the CVEs from above11:40
asachmm11:40
asacfor 2.0.0.18 we need to go through them individually11:40
asac(this release contains .18 + .19 unfortunately)11:40
asacwhite: the starting point is usually: http://www.mozilla.org/security/known-vulnerabilities/thunderbird20.html11:41
whitei'll see that i get through them, would be great, if you could give the final version a glance though :)11:41
asacwhite: i will for sure11:42
asacwhite: out of the 2.0.0.18 items listed on that page, mfsa2008-52 doesnt apply for 1.8 branches11:43
asacsorry ... the javascript part doesnt apply11:44
asace.g. CVE-2008-5018 is ffox 2 only (e.g. not 1.5)11:44
asacbut CVE-2008-5017 is valid (also 2008-52)11:44
asacwhite: everything else in the 2.0.0.18 section of current sid icedove applies11:48
asacfor 2.0.0.19 part use the CVEs in the usn above to filter stuff11:48
asacoh mfsa2008-48 doesnt apply either11:49
asacso CVE-2008-5018 (mfsa2008-52 part 1) and mfsa2008-48 are not in 1.8.0 branches11:49
asacthanks ;)11:49
whiteasac: you cause me a headache ;)11:49
asacwhite: heh ;11:54
asaci will give it to you in a few11:54
asacwhite: in debian/rules you need to update TBIRD_BZ2_ARCHIVE=thunderbird_1.5.0.15pre080614i-source.tar.bz211:54
asacthat line11:55
asacto refer to the proper tar.bz2 that is in archive/11:55
whitedone already :)11:55
whitei am test building (started 30 min ago i think)11:56
asaccool11:56
asacwhite: http://paste.ubuntu.com/100263/11:57
asaci added "not affected" to those entries from icedove that are not affected11:58
asaci removed  CVE 5510 as its not yet fixed on 1.8.0 (patch is a bit more complicated there) ... in case you want to add that to CVE tracker11:58
asachttp://paste.ubuntu.com/100265/11:58
asacannotated with proper upstream version11:58
whiteasac: btw would you generally be interested in using the security tracker as the source for security overviews? (public issues only of course)12:00
whiteasac: older stuff like http://www.mozilla.org/security/announce/2008/mfsa2008-37.html aka CVE-2008-0016 is also fixed in this round? (It was marked as fixed for 2.0.0.17-1)12:06
whitebtw Mike mailed me and would rather like to fix the nss FTBFS, so i guess no new experimental version :/12:11
asacyeah was expected. not sure why he doesnt like the current nss release though ;)13:07
asacwhite: look at the bugs referenced in mfsa13:09
asachttp://www.mozilla.org/security/announce/2008/mfsa2008-37.html13:09
asacthose have approval1.8.0.next ... which means that i landed them in distro patchset13:09
asacwhite: do you have a bugzilla account?13:10
whitenope :/13:18
whiteasac: good news, icedove builds on etch :)13:20
asacwhite: yay ;)13:27
asacdoes it work?13:27
asacalso test enigmail ;)13:27
asacbasic testing would be: imap with ssl/tls, pop with ssl/tls; dragging messages around, checking that all preferences tabs are functional (e.g. not broken); testing a langpack; testing enigmail (sign/enc); testing sending mail through SMTP and SMTP/SSL13:28
asacalso maybe blog subscription/rss13:29
asacbut well ;)13:29
whitei'm still busy with the advisory, but i'll get to it :)13:30
asachttp://people.ubuntu.com/~asac/mozilla-security/1.8.1.19/seamonkey_1.5.0.15pre080614i-source.tar.bz213:30
whiteasac: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-407013:30
asacif you are brave you would also look at that ... seamonkey doesnt have embedded tarball13:30
asacyou can just use that and after that run ./debian/rules source (which will do the iceapisation :))13:31
asacwhite: again, look at the bug ;)13:31
asacalso you can see if the patch is in the "patches" directory of the tarball13:31
asacit always starts with the bugnumber ;)13:32
asacin this case its in the patchset ... yes.13:32
asacasac: approval1.8.0.next+13:32
asacmozilla$ ls patches/425152_attachment_334030.patch13:32
asacpatches/425152_attachment_334030.patch13:32
asac(just to clarify: i am happy to dig up everything for you ;) ... just want to teach you how you can find info on your own)13:33
asacits http://www.mozilla.org/security/announce/2008/mfsa2008-46.html ... which has https://bugzilla.mozilla.org/show_bug.cgi?id=42515213:34
ubottuMozilla bug 425152 in Security "heap overflow when canceling usenet message in nsNNTPProtocol::DoCancel()" [Normal,Resolved: fixed]13:34
asac13:00 < white> asac: btw would you generally be interested in using the security tracker as the source for  security overviews? (public issues only of course)13:34
whitedon't worry, it's good to go through it with you and it helps me a lot. I'll get familiar with the stuff, sometimes i just need a little longer :)13:34
asacwhat do you mean by that exatly ;)13:34
asacwhite: you should really get a bugzilla account ;) ... in future you probably want to be able to see embargoed bugs and i can CC you if you have an account ;)13:35
asacnot really urgent for this round ... but ;)13:35
whiteasac: i mean that if you want i could give you access to the tracker and you could track issues there as well, if it helps you (it would of course help us heaps ;) )13:36
asaci will think about it ... what features does it provide? just adding info where what is fixed?13:38
asacor can i also add comments (like this is MFSA-2008-XX - javascript part)13:38
asac?13:38
whiteyou can also add NOTEs or TODOs13:38
whiteit could even be extended to track ubuntu versions13:38
whitebut that might be a different topic13:38
asaci think we have our own tracker here ;)13:38
asac(which i dont use ... just push that documentation stuff to sec team)13:39
asaci will ask them ... maybe there already is a sync or something?13:39
asacjdstrand: ??13:39
asac^^13:39
asacjdstrand: white is from debian security team ... white: jdstrand is ubuntu security team ;)13:40
whiteasac: i've discussed the tracker issue with kees. It seems that ubuntu wants to keep their own tracker13:40
whiteasac: however, it would be great for us to have you using our tracker for mozilla stuff and maybe it can be useful for you in several ways13:41
asacyeah most likely launchpad13:41
asacwhite: i would definitly be willing to try that. however, i am really bad at remembering to document stuff ... so better dont rely on me - but i think as soon as i am not alone anymore this tracker thing will just resolve13:43
whiteasac: what's the best way to find information about issues like http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4068, where there is no bugnumber :/13:43
asacwhite: if there is a mfsa link then you are lucky13:43
asacclick on that13:43
asacand there you will find the bug13:43
whiteno bug there13:44
asacwhite: if there is not an mfsa link then its either unfixed or (usually) mitre was on crack and assigned stuff to non-issues13:44
asacwhite: https://bugzilla.mozilla.org/buglist.cgi?bug_id=380994,394075,41631813:44
asacwhite: there is the link13:44
whiteasac: there is a mfa link13:44
asacits on http://www.mozilla.org/security/announce/2008/mfsa2008-44.html13:44
whiteah damn13:44
asacabove the CVE links13:44
asacits just a "multi" bug CVE13:44
whitenevermind :)13:44
asacwhite: if you cannot see any of those then its embargoed and i would have to CC you13:45
asacbut all seem to be opened up13:45
whitei'm just checking whether they are fixed or not13:45
asacwhite: yeah ... look in patches/series13:45
asacif they are not in there look in bug ... as if they dont apply i usually comment on that in the bug13:46
whiteasac: only one of the bugnnumbers is mentioned there13:46
asacwhite: yeah. look at the bugs in bugzilla ... the one bug has all the patches13:46
whiteah ok13:46
asacthe other is just testcase/documentation bugs13:46
asacits frequent that there are a bunch of bugs (even with patches) and then one wrap up bug which contains the accumulated branch patches13:47
asac(sorry, to throw all this at you ... its quite a lot of implicit knowledge there ... feel free to ask if you are uncertain :))13:47
whiteno problem, i might have to do something else for a while now, but will try to send the advisory draft to you tonight and test the packages13:49
asacwhite: sure13:50
asacthanks so much13:50
whiteasac: do you know where the "compare" target comes from? icedove-3.0 fails to build for me, because the rule doesn't exist14:13
whitei am curious what it does or did14:13
asacwhite: mozilla-devscripts14:17
asacwhite: which version are you using?14:17
white0.1214:19
whitecan i live without the target?14:19
asacwhite: is there no /usr/share/mozilla-devscripts/compare.mk ?14:20
whiteyes there is14:20
whitemaybe it's not included for some reason14:21
whitenah it's not included14:21
white-include /usr/share/mozilla-devscripts/$(DEB_MOZ_APPLICATION).mk14:21
whitemy DEB_MOZ_APPLICATION is icedove-3.014:21
asacbummer14:22
asacwhite: you probably know how to fix that ;)14:22
asacwe should talk with fta bout that14:22
whiteasac: i just wanted to remark it :)14:22
asacvalid14:23
asaci think debhelper should get the ability to use debian/control.SOURCEPACKAGE name in preference to debian/control14:24
asacin that way we could more easily maintain both in one tree14:24
asacassuming that i hate templates for control ;)14:24
asacwhite: i think i refer to the patchset in changelog usually ... the one used for this is: http://people.ubuntu.com/~asac/mozilla-security/1.8.1.19/moz_1.8.0.15prepatches080614i.tar.gz14:39
asacmaybe also give the tarball location14:40
asacwhite: now i remember why iceape is soooo outdated in etch. its glandium kept calendar, so one cannot even use the upstream tarball directly14:49
asacdamn14:49
asacthats really bad14:49
whiteasac: you have mail14:59
whitei'll be relocating home soon, later i'll produce a nice changelog entry, rebuild and start testing14:59
whiteplease check the draft i sent to you :)14:59
asacwhite: thanks. try to keep the current changelog form if possible ;)15:01
whiteasac: ignore the formatting issues in the draft, i'll fix them up later, just tell me, if you are satisfied with the rest :)15:03
asacwhite: s/Iceweasel/Icedove/15:07
asacwhite: did you do the CVE list like i said?15:08
asacor are you also naming stuff that is fixed in sid?15:08
whiteasac: i went through the list from http://security-tracker.debian.net/tracker/status/release/stable15:08
whiteasac: and i added the MFSAs15:09
asac(not all apply in both places)15:09
whiteasac: well they should apply for etch and all are fixed in sid (it doesn't matter, if some were fixed earlier)15:09
whiteor am i missing something?15:10
asacwhite: have oyu checked whether those CVEs have been named in the changelog before?15:11
asaci think most of them are already mentioned15:11
asacso they are not fixed in this upload, but in the ones before15:11
asachmm15:12
asacok15:12
asacso 2.0.0.17 never made it to security hmm15:13
asaci was quite sure i uploaded that15:13
asacbut well ... maybe i just did xulrunner considering hits higher impact15:13
asachmm15:14
asaci think there is one MFSA missing15:15
asacwhite:     * MFSA 2008-59 aka CVE-2008-4582 - Script access to .documentURI and15:16
asac      .textContent in mail15:16
asacthat one is also fixed everywhere else ... (its probably not in the tracker because the upstream MFSA doesnt provide the CVE)15:17
asacwell ... everywhere where the 1.8.1.18 backports have been released to15:17
whiteasac: have to relocate now, will answer later15:29
whiteasac: does CVE-2008-4582 affect icedove? I though it's only for the browsers16:48
whiteasac: apart from that one, any other points?16:48
whitei'll write the changelog now16:48
asacwhite: is the patch in there?17:02
asacwhite: it doesnt apply to 1.8.0 branches17:02
asachttps://bugzilla.mozilla.org/show_bug.cgi?id=455311#c7817:02
ubottuMozilla bug 455311 in Networking: File "[FIX]mid-autumn festival vulnerability" [Normal,Resolved: fixed]17:03
asacbut maybe i took https://bugzilla.mozilla.org/show_bug.cgi?id=455311#c80 anyway17:03
asacin case some embedders use .desktop files17:03
whitehold on, i am just finishing the changelog17:11
asacyeah17:16
asaci am still here ;)17:16
asaciceape killed me again ... calendar/ has binary files, so no luck with diff ;)17:17
asacso now uue tarball ;)17:17
whiteasac: does that look ok to you? http://paste.debian.net/25288/17:18
whiteasac: i am a bit unsure about http://www.mozilla.org/security/announce/2008/mfsa2008-61.html aka CVE-2008-550317:18
whitei'll check whether there is a patch in the tarball17:18
asacwhite: please point to the tarball/patchset download source17:19
asaci think i did that in previous uploads?17:19
asaclike:17:19
asac* backports for thunderbird 2.0.0.17 stability/security update17:19
asaci have in dapper:17:20
asac  * RELEASE security/stability backports for tbird 1.5 as of 2.0.0.1917:20
asac    (USN-701-2)17:20
asac    - http://people.ubuntu.com/~asac/mozilla-security/1.8.1.19/moz_1.8.0.15prepatches080614i.tar.gz17:20
asacwhite: btw, the upload we are looking at is 2.0.0.17 + 18 + 1917:20
asacalso mention the tarball maybe: http://people.ubuntu.com/~asac/mozilla-security/1.8.1.19/icedove-1.5.0.13+1.5.0.15b+prepatch080614i.tar.bz217:21
whiteit's quite a nice number of issues :)17:21
whiteok, step by step17:21
asacwhite: look at the patches/series file ;)17:21
whiteso i have the *backports ... lines17:21
asacthose are all issues we backported since 1.5 went eol17:21
asacthose commented out are alreawdy committed17:21
whiteasac: then you want me to add three tarball lines pointing to patchsets?17:23
asacwhite: no ... just to the .19 patchset + tar.bz217:24
asacthey contain the rest17:24
whitecan you quickly post the URLs plz?17:26
asacpatchset: calendar-1.0.9.tar.bz2.uue17:33
asactarball: http://people.ubuntu.com/~asac/mozilla-security/1.8.1.19/icedove-1.5.0.13+1.5.0.15b+prepatch080614i.tar.bz217:33
asacpatchset: http://people.ubuntu.com/~asac/mozilla-security/1.8.1.19/moz_1.8.0.15prepatches080614i.tar.gz17:33
whiteasac: what's calendar-1.0.9.tar.bz2.uue17:36
asacwhite: thats a paste error ;)17:38
white:)17:38
asaci am trying to push calendar parts to iceape diff.gz17:38
asacso we can use tarballs again17:38
whiteok anything else or can i start a nice build in cowbuilder?17:38
asacmike apparently shuffled the upstream tarballs without a repro instruction ;)17:38
asacwhite: yes, why do you say "non-maintainer upload"?17:39
asacimo its not really unusual that security team does security uploads for packages they dont maintain ;)17:39
whiteasac: common practise by most sec members17:39
whiteasac: i don't really maintain many packages anymore and do more uploads of packages i don't maintain ;)17:40
asacyeah ... but isnt really informative ;)17:40
asacwhy would anybody want to know that its a NMU?17:40
whiteit informs that it is a sec upload17:40
asacif that info is good to have it shouldnt have the "top" place ;)17:40
whiteand performed by someone from the sec team (although that doesn't mean much)17:40
asacwhite: thats already said by the other line17:40
whitesince it's common practise I'd prefer to keep it17:41
asaci dont mind ,)17:41
white:)17:41
asacoh17:42
asac#17:42
asac* MFSA 2008-67 aka CVE-2008-5510 - Escaped null characters ignored by CSS17:42
asac#17:42
asaci think thats the one that isnt fixed17:42
whitehmm, it was marked as fixed in - icedove 2.0.0.19-117:42
asacyeah17:42
whitein our tracker, which doesn't have to mean anything :)17:42
asacits low severity and patch was too intrusive to take in this round17:42
whiteok, i'll take it out then17:43
asacwhite: its fixed in 1.8 (e.g. 2) but not in 1.8.017:43
asacso not in the upload you are preparing right now17:43
whitei've added CVE-2008-5503 to the changelog and advisory, allthough it's pretty low severity IMHO17:45
asacwhite: also CVE-2008-5502 doesnt affect 1.8.0 branch17:45
asacjust 5501 (layout)17:46
whiteso it was fixed already in etch?17:46
asacwhite: no it doesnt apply ;)17:46
whitein the tracker it reads - icedove 2.0.0.16-117:47
whiteas fixed version17:47
asachuh?17:47
asacwhite: CVE-2008-5502 is 1.9 branch only ... so its not fixed in any 2.17:48
asacbecause its not an issue there17:48
asacsame for 550117:48
asachttp://www.mozilla.org/security/announce/2008/mfsa2008-60.html17:49
asaclook there17:49
asacit says "Firefox 3" only17:49
asacwhich means its 1.9 branch only17:49
whiteok, so i'll just mark it as not-affecting the debian versions and take it out of the changelog17:50
asacyeah ... but 5500 applies ;)17:50
asac(so the MFSA is valid)17:50
whitegot ya :)17:50
asac18:45 < white> i've added CVE-2008-5503 to the changelog and advisory, allthough it's pretty low severity IMHO17:51
asacwhy wasnt that in there in the first place?17:51
asacdid i forget that in sid?17:51
asacwhite: i think you also forgot http://www.mozilla.org/security/announce/2008/mfsa2008-46.html ... 2.0.0.1717:54
asacwhite: you also forgot https://bugzilla.mozilla.org/show_bug.cgi?id=45888317:55
whitehmm i got it in the advisory, but not in the changelog :/17:55
ubottuMozilla bug 458883 in Security "Make Document.documentURI and .textContent noAccess in mailnews" [Major,Verified: fixed]17:55
asaci already said all this above :/17:55
asacanyway ... let me look further ;)17:55
whitei need to compare the advisory with the changelog :/17:55
asacwhite: no ... dont start with CVEs17:56
asacstart with MFSAs ;)17:56
asacthen go through the list17:56
asacthats better ;)17:56
asaci swear17:56
asaclaste was http://www.mozilla.org/security/announce/2008/mfsa2008-59.html17:57
asacthats what you forgot too17:57
asac;)17:57
asac(not the bug)17:57
asacalso missing http://www.mozilla.org/security/announce/2008/mfsa2008-61.html17:58
asac(i think you added that you said)17:58
asacyeah that should be it17:58
asacthanks17:58
asacso missing in changelog (from your paste):17:59
asachttp://www.mozilla.org/security/announce/2008/mfsa2008-46.html17:59
whiteMFSA 2008-59 doesn't even have a CVE id?17:59
asachttp://www.mozilla.org/security/announce/2008/mfsa2008-59.html17:59
asachttp://www.mozilla.org/security/announce/2008/mfsa2008-61.html17:59
asac16:16 < asac> white:     * MFSA 2008-59 aka CVE-2008-4582 - Script access to .documentURI and17:59
whiteah right17:59
asacyou should add that everywhere17:59
asacits affecting all 1.8 branch products18:00
asace.g. everything except xulrunner/iceweasel in lenny18:00
asacok cool18:00
asacthat should be it ;)18:00
asacthanks a bunch18:00
asaci am still fighting iceape a bit ;)18:01
asacmaybe i will have something later18:01
whiteafter the whole ice* round is over (or icedove at least), i need to fix some other stuff, like some simple integer overflow or some XSS18:01
whitesomething small, easy and successfull ;018:01
asachehe18:02
asacwell its a huge success if you manage to get icedove out ;)18:02
asacand also first time is always hardest ;)18:04
whitebuilding now18:05
whitei have to ask again regarding CVE-2008-458218:13
whiteit seems to point to http://www.mozilla.org/security/announce/2008/mfsa2008-47.html18:14
whiteah CVE-2008-502418:21
whitenevermind :)18:21
asacwhite: hmmm indeed strange18:35
asacnot sure whats that about18:35
asacthats the CVE for 59 that went over the ticker18:36
asaclet me double check18:36
ftahi18:56
IRCMonkeyheh19:00
IRCMonkeyiceape-chatzilla to houston ;)19:00
IRCMonkeyfun19:00
* IRCMonkey off19:02
whiteasac fta: i got an icedove version build now. I'll add a small patch to remove some branding. I've called the version 3.0~b1-1.1 and the packages icedove-3.0 as you requested19:07
whiteasac fta: Noel wanted to know, whether we could put that to experimental with your permission?19:07
whitei think he emailed asac19:07
whiteasac: i guess i'll give the package to noel and leave it to him :)19:16
asacyou dont need permission19:17
asacjust keep th eubuntu mozillateam in Maintainer field ;)19:17
asacand give the code back you did to us ;)19:17
asacwhite: ^^19:18
asacfeel free to add all of you to Uploaders19:18
whiteis Mike ok with that as well or isn't he maintaining icedove?19:18
asache isnt19:19
asaci already moved Maintainer: to ubuntu team19:19
asacit was myself before for ages19:19
asaclike you can see in the etch package ;)19:19
whiteok, i just wanted to make sure everything is sound :)19:19
whiteso should i just commit my icedove-3.0 branch to bazaar?19:20
BUGabundoasac: do you have any news from fta about FF3.1 not starting with xmlruner?19:20
asacwhite: if you have a branch then yes19:20
whiteasac: don't i need some special foo powers?19:20
asacBUGabundo: no19:20
BUGabundobah19:20
BUGabundocan't open it for 2 weeks!19:21
ftahm19:21
ftai need context19:21
asacwhite: push that to your own area for now ... i will shove it over. we can add you to team on next meeting ... which is in 10 days or so ;)19:21
BUGabundoneed to downgrad again19:21
BUGabundofta don't you remember me telling you that that it segfault?19:21
BUGabundowhen I had both 3.0 and 3.1 PPA ?19:21
ftaoh, 2 != versions at the same time19:21
BUGabundofound that it was related to the PPA version of xlrunner19:21
BUGabundo1.9.1 or something19:22
ftawell, i wanted to find the root cause last week but got busy with something else19:22
BUGabundo$ firefox-3.1 Could not find compatible GRE between version 1.9.1b3pre and 1.9.1b3pre.19:22
ftathis is different19:22
ftaplease, show me your /etc/gre.d19:22
BUGabundofrom POV it's the same!19:22
BUGabundolol19:22
BUGabundo1.9.0.4.system.conf19:23
BUGabundo1.9.0.5.system.conf19:23
BUGabundo1.9.2a1pre.system.conf19:23
ftayou don't have xulrunner-1.9.1 installed ?19:24
BUGabundoI think I have19:24
ftaapparently not19:24
BUGabundoxulrunner-1.9.1:19:24
BUGabundo  Installed: 1.9.1~b3~hg20090103r22626+nobinonly-0ubuntu1~fta319:24
BUGabundo  Candidate: 1.9.1~b3~hg20090103r22626+nobinonly-0ubuntu1~fta319:24
BUGabundo  Version table:19:24
BUGabundo *** 1.9.1~b3~hg20090103r22626+nobinonly-0ubuntu1~fta3 019:24
BUGabundo        500 http://ppa.launchpad.net jaunty/main Packages19:24
BUGabundo        100 /var/lib/dpkg/status19:24
BUGabundo     1.9.1~b2+build1+nobinonly-0ubuntu3 019:24
BUGabundo        500 ftp://darkstar.ist.utl.pt jaunty/universe Packages19:24
BUGabundo        500 ftp://archive.ubuntu.com jaunty/universe Packages19:24
BUGabundoI seems I do have it!19:24
BUGabundoyour PPA version19:24
ftayou should have a /etc/gre.d/1.9.1b3pre.system.conf file then19:25
ftastrange19:25
BUGabundoyeah19:25
asacfta: yes. i think there is a bug in migration19:25
BUGabundo--reinstall ?19:25
asacfta: i had some more complains that the gre file was gone19:25
asacBUGabundo: give it a try19:25
asacBUGabundo: --reinstalll xulrunner-1.919:25
asac(not ffox)19:25
BUGabundothanks19:25
BUGabundoI know ... just looking for the correct package19:26
ftadpkg-query -W -f='${Conffiles}' xulrunner-1.9.1 | grep gre.d19:26
BUGabundobah... one 'l' too many19:26
BUGabundo/etc/gre.d/1.9.1b3pre.system.conf 9284295b58639184f779e138babb9ee319:26
BUGabundodo you want the md5sums too?19:27
BUGabundoFYI I did change gconf to use the latest cul19:27
ftais that before or after --reinstall19:27
BUGabundo*xul19:27
fta?19:27
BUGabundobefore19:27
BUGabundoreinstall running now19:27
BUGabundoIf you wish to add some of these files, please add them by name.19:27
BUGabundoCommitting to: /etc/19:27
BUGabundomodified alternatives/xulrunner19:27
BUGabundomissing gre.d/1.9.0.4.system.conf19:27
BUGabundodeleted gre.d/1.9.0.4.system.conf19:27
BUGabundoLOL19:28
ftawooww19:28
asacfta: i think it happens when you install 1.9.1 for first time. at lesat the complains couldnt reproduce, after they fixed it19:28
BUGabundosomething changed according to my bzr backup of /etc19:28
BUGabundo$ firefox-3.1 Could not find compatible GRE between version 1.9.1b3pre and 1.9.1b3pre.19:29
asacfta: dont you use rm_conffile?19:29
ftano19:29
asacwhy not?19:29
BUGabundo/etc/gre.d/1.9.1b3pre.system.conf 9284295b58639184f779e138babb9ee319:29
BUGabundoafter reinstall19:29
ftawell, yes19:29
asacthats actually quite important ;)19:29
asacah ok19:29
BUGabundolook the same to me19:29
asacBUGabundo: md5sum /etc/gre.d/1.9.1b3pre.system.conf gives you?19:30
ftaasac, http://paste.ubuntu.com/100515/19:30
asacfta: in preinst?19:30
BUGabundo$ md5sum /etc/gre.d/1.9.1b3pre.system.conf19:30
BUGabundomd5sum: /etc/gre.d/1.9.1b3pre.system.conf: No such file or directory19:30
ftaasac, yes19:30
BUGabundo1.9.0.5.system.conf19:31
BUGabundo1.9.2a1pre.system.conf19:31
asacfta: maybe in preinst everything is obsolete or something ... hmm19:31
asacfta: @XULBRANCH@? who cares about 1.9.0? is that supposed to be done by 1.9.0?19:32
ftaasac, what i experienced a few times is that when you upgrade for v1 to v2, the gre-v1.conf file is not removed, if you upgrade again (ie v2 to v3 or v2 to another v2), it v1 is removed19:33
fta-for+from19:33
asacwell ... in this case the new config is removed right?19:33
asacmaybe we should take care that we dont remove stuff from the same gre version19:33
ftait seems so but i never experienced that19:33
ftai'll have a closer look after diner19:33
asacconffiles are a real pita19:34
BUGabundoso now good news for me?»19:34
asacsometimes they are not replaced with new files even though they were never touched :(19:34
asacBUGabundo: so did you reinstall?19:34
BUGabundoyep19:34
asacwhich package verison of xulrunner was installed?19:34
* fta blames dpkg19:34
BUGabundoRemoving obsolete conffile /etc/gre.d/1.9.0.4.system.conf ...19:35
BUGabundoUnpacking replacement xulrunner-1.9 ...19:35
BUGabundoSetting up xulrunner-1.9 (1.9.0.5+nobinonly-0ubuntu1) ...19:35
BUGabundoI have from 1.9.0,1.9.1 and 1.9.219:35
ftaapt-cache madison xulrunner-1.9 xulrunner-1.9.1 xulrunner-1.9.2 | grep -v Source19:35
BUGabundoxulrunner-1.9 | 1.9.0.5+nobinonly-0ubuntu1 | ftp://darkstar.ist.utl.pt jaunty/main Packages19:36
BUGabundoxulrunner-1.9 | 1.9.0.5+nobinonly-0ubuntu1 | ftp://archive.ubuntu.com jaunty/main Packages19:36
BUGabundoxulrunner-1.9.1 | 1.9.1~b3~hg20090103r22626+nobinonly-0ubuntu1~fta3 | http://ppa.launchpad.net jaunty/main Packages19:36
BUGabundoxulrunner-1.9.1 | 1.9.1~b2+build1+nobinonly-0ubuntu3 | ftp://darkstar.ist.utl.pt jaunty/universe Packages19:36
BUGabundoxulrunner-1.9.1 | 1.9.1~b2+build1+nobinonly-0ubuntu3 | ftp://archive.ubuntu.com jaunty/universe Packages19:36
BUGabundoxulrunner-1.9.2 | 1.9.2~a1~hg20090102r23257+nobinonly-0ubuntu1~fta2 | http://ppa.launchpad.net jaunty/main Packages19:36
ftaok19:36
ftabug in my preinst then19:36
* BUGabundo blames stable,beta & alpha all together!19:36
ftabut this is different from running != versions at the same time19:37
fta<BUGabundo> missing gre.d/1.9.0.4.system.conf19:37
fta<BUGabundo> deleted gre.d/1.9.0.4.system.conf19:37
ftawhen did that happen?19:37
BUGabundoafter the reinstall19:37
BUGabundoits the bzr log19:38
BUGabundothat is attached to apt19:38
BUGabundohumm how is it called!!?19:38
BUGabundoetckeeper19:38
ftacould you please pastebin me your traces (apt)19:39
BUGabundofull command please!19:39
BUGabundoof the reinstall?19:39
BUGabundohttp://paste.ubuntu.com/100527/19:40
ftamaybe from /var/log/apt/term.log if your xul upgrades are in there19:40
BUGabundohttp://paste.ubuntu.com/100528/19:42
ftahttp://paste.ubuntu.com/100527/ <= this is correct, 1.9.0.5 removes the old 1.9.0.4 gre file, but it happened at reinstall not when 1.9.0.5 was first installed, so this is sub-optimal19:42
ftaasac, do you have a bug # on lp for this bug?19:43
ftaBUGabundo, what happens when you --reinstall 1.9.1 ?19:45
BUGabundoagain??19:45
BUGabundolol19:45
BUGabundohave a look at the log above fta19:45
ftahmm, you pasted 1.9 several times19:45
ftadid i mis-read?19:46
BUGabundodon't know!19:46
BUGabundobut I can always redo it to be sure19:46
BUGabundoso its 1.9.1 correct?19:46
ftahold on, reading your long log file19:46
ftaPreparing to replace xulrunner-1.9.1 1.9.1~b2+build1+nobinonly-0ubuntu3 (using .../xulrunner-1.9.1_1.9.1~b3~hg20081227r22500+nobinonly-0ubuntu1~fta1_amd64.deb) ...19:47
ftaRemoving obsolete conffile /etc/gre.d/1.9.1b3pre.system.conf ...19:47
ftaUnpacking replacement xulrunner-1.9.1 ...19:47
ftanot good19:47
BUGabundofta tail it!! last lines all you need19:47
BUGabundoyeah so now I have no 1.9.1 on gre.d19:48
ftanope, i need history, the cause is just this19:48
BUGabundohumm19:48
BUGabundoI did downgrade from FF3.1b3 PPA to 3.1 archive19:48
BUGabundoand xul too!19:48
ftaif the clean-up happens one step too late and you keep reverting to b2, bingo, you loose your gre file19:48
BUGabundobut I enable it again to check if you fixed it and got into this19:49
=== rzr is now known as rZr
ftawhat i already know: b2-1 -> b2-2 -> b2-3 -> b3-1 (nada, while gre/b2 should be removed) -> b3-2 (gre/b2 removed, all fine) -> b3-3 ...19:51
ftayou seems to be doing: b2-3 -> b3-1 -> b2-3 -> b3-2 -> b2-3 -> b3-3 (no b3 gre file??)19:52
ftais that correct?19:53
* BUGabundo is confused (and hungry)19:53
ftadon't :)19:53
ftai'm trying to understand your upgrade path19:53
BUGabundohumm19:53
BUGabundook... ibex -> jaunty pre-alpha1, with PPA always enabled AFAIR19:54
fta(bear with me..)19:54
BUGabundolast week FF3.1 started segfaulting19:54
BUGabundoso I posted it here19:54
BUGabundoinstalled 3.2 and it also failed19:54
BUGabundowhen FF3.0 was opened19:54
BUGabundoremoved PPA and downgrade just FF3.1 to archive19:55
BUGabundono go, so I donwgraded xul too!19:55
BUGabundoit worked ! enabled PPA again and got here today to ask what's up!19:55
ftayou're mixing 2 issues: a/ gre file disappearing & causing ff-x to fail on startup and b/ concurrent versions no longer running but showing a segfault and opening a window from the other version19:56
ftafor b/ i know what is causing that, i could revert my changes but i would prefer fix the bug (needs work)19:57
BUGabundook19:57
BUGabundoabout a/?19:57
ftafor a/ it seems to be caused by my preinstall script but it still not clear to me how you could end up there. yet, i see did it.19:58
ftaand asac said some other guys filed bugs about that very same thing19:58
BUGabundoasac: any luck getting the ML moderate pass? mail still in queue19:59
BUGabundofta: should I remove it all19:59
BUGabundowith purge?19:59
BUGabundoand start again?19:59
ftato fix a/ i need to understand the situation, i'll study your logs after dinner, this bug is more critical than b/19:59
BUGabundothanks20:00
BUGabundoDinner time20:00
BUGabundobrbr20:00
ftato work-around a/, you can just re-create that file manually, it's easy.20:00
BUGabundosend me yours20:01
BUGabundoLOL20:01
ftafta@ix:~ $ cat /etc/gre.d/1.9.1b3pre.system.conf20:01
fta[1.9.1b3pre]20:01
ftaGRE_PATH=/usr/lib/xulrunner-1.9.1b3pre20:01
ftaxulrunner=true20:01
ftaabi=x86-gcc320:01
ftaif you are on amd64, the last line is "abi=x86_64-gcc3"20:03
BUGabundoI am20:03
BUGabundoI'll create it after dinner20:03
BUGabundo[[]]20:03
ftaok, cu then20:04
directhexi hate that20:09
directhexthat's cocked me up before when buiding .xpi files20:09
asacBUGabundo: we have to wait for gnomefreak ;)20:30
asacdirecthex: ?20:30
directhexasac, ABI stuff being read from the running cpu when compilling plugins, not the compiler arch20:31
asacwhite: CVE-2008-406620:31
asaci think thats not fixed in our 1.8.0 branches20:31
asaccan you note that in tracker so i get to it? (its http://www.mozilla.org/security/announce/2008/mfsa2008-43.html part 2 ... if you could add that as comment)20:31
asacdirecthex: ah ok. can be itchy ;) ... i think BUGabundo didnt have any line though ;)20:32
whiteasac: taken out of the advisory and the changelog20:39
ftaBUGabundo, sudo zgrep -hE '(xulrunner-1.9.1 |gre.d/1.9.1)' /var/log/apt/term.log.{2,1}.gz /var/log/apt/term.log | grep -vE '^(Setting up|Unpacking)'20:39
whiteasac: it's fixed in sid though right?20:39
=== rzr is now known as rZr
asacwhite: not sure right now20:48
asacwhite: sory for confusion. seems i messed up my own iceape tarball by using the wrong patchset version ;) so not all was in there20:48
asaclet me check20:48
asacwhite: ok what i said was correct. its missing ... its in 2 though20:49
whiteasac: new icedove package seems to work, at least i can reach my pop/imap accounts and use smtp on my relay host :)20:55
whiteasac: CVE-2008-4066: - icedove 2.0.0.17-1 (that is the fixed icedove entry)20:57
asacwhite: http://paste.ubuntu.com/100583/ ;)21:25
asacwhite: you know whether i need to build depend on sharutils and bzip2?21:25
ftawoww, that's a lot of MFSAs21:27
asacthat was even more work21:27
asaci went through all MFSAs and checked that we have it21:27
asaci found three bugs that i somehow dont have in the patchsets21:27
asachave to investigate now and patch them next time if it turns out to be forgotten21:28
asacmost likely i just forgot to document in bug why i didnt take it though21:28
whiteasac: nice work21:28
whiteasac: but back to icedove, one step at a time ;)21:28
whiteasac: CVE-2008-4066: - icedove 2.0.0.17-121:29
whiteis that still correct?21:29
whiteicedove etch packages seem to work by the way as already said :)21:29
asacwhite: good. you hav a mfsa for that?=21:30
white21:31 < asac> can you note that in tracker so i get to it? (its http://www.mozilla.org/security/announce/2008/mfsa2008-43.html part 2 ... if you could add that as comment)21:30
asacyes21:30
asacthats fixed in 2.0.0.1721:30
whiteasac: i was wondering, if it is fixed in sid and if so, which version it was fixed :)21:30
whiteah great :)21:30
asacts just that the second part is not in 1.8.021:30
whiteso is the CVE fixed in sid? (like the second part)21:31
asacwhite: for upstream tarballs you can check whether bugs are fixed by going to the bug and look for the fixed1.8.1.17 (for 2.0.0.17) ;)21:31
whitesorry, but i need to get through the CVEs :)21:31
asacor verified1.8.1.1721:31
asacwhich is even saying that QA has verified that its fixed21:31
asacwhite: for outstanding CVEs we discuss at best add the MFSA ;)21:32
asacso we dont need to hunt it down ;)21:32
whitei'll try my best :)21:32
asacsure21:32
asacif not ... we wil survive it ;)21:32
asacthough scratching heads again21:32
ftadid you guys use m-d ?21:32
white:)21:32
asacfta: for what?21:33
asacfta: for patchset management?21:33
asaci think thats a missing feature as of now ;)21:33
whiteasac: ok, at the moment, the etch packages are rebuilding without the CVE id in it21:33
ftaexplain21:33
whiteasac: but with the MFSA included21:33
asacwould be cool if i could tell it: also add patchset "url-to-patches/tarball" and "url-to-patches/tarball2"21:33
whiteasac: were there any other objections?21:33
asacand apply ;)21:33
asacwhite: post the changelog again ;) ... my brain is out of sync again ;)21:34
whitesure21:34
whiteasac: http://paste.debian.net/25323/21:35
* asac just noticed that he is using ffox 1.5 for the last 5 hours ;)21:36
asacthought it was broken ;) ... but now i see21:36
whiteasac: should i resend the advisory draft as well?21:37
whiteill just do it anyway :)21:37
asac* MFSA 2008-37 aka CVE-2008-0016 -  UTF-8 URL stack buffer overflow21:37
asacthere are two whitespaces21:37
asac16 -  UTF-8 URL21:37
asac  ^^21:37
white:)21:38
asacwhite: maybe use the same i used for -4121:39
fta[11:47] <asac> white: take a look at the latest tbird 3 packaging branch ... i think fta moved logic from m-devscripts to the packages ... maybe thats the reason21:39
asachttp://paste.ubuntu.com/100583/21:39
ftai'm not done with that yet21:39
asacfta: ah21:39
asacok21:39
ftajsut a few packages moved21:39
asacwas just a blind guess21:39
asacwe found it actually21:39
asacits DEB_MOZ_APPLICATION=icedove-3.021:39
asacwhich kills the thing21:39
asacfta: ^^21:39
fta?21:40
asacprobably icedove-3.0 needs to ship a debian/icedove-3.0.mk and include the thunderbirc-3.0.mk?21:40
asacfta: compare isnt included21:40
asacbecause $(DEB_MOZ_APPLICATION).mk doesnt exist21:40
ftacompare is included in $(project).mk usually, but could be included directly21:41
whitedoesn't matter much for as long as mozilla-devscripts isn't uploaded to debian :)21:41
ftabut then you need to add your own filters21:41
asacwhite: please take my text for -41, -42 (http://paste.ubuntu.com/100583/)21:41
whiteasac: you mean http://paste.debian.net/25324/ ?21:42
asacyes21:43
asacwhite:  * MFSA 2008-45 aka CVE-2008-4069 - [1.8 branch] XBM appears to draw21:43
whiteok21:43
asac    uninitialized memory21:43
asacis that not tbird?21:43
asacseems like21:43
asacok21:43
asacwhite: same for the other multi advisories: -52, -60 -6821:45
asaci'd say that http://www.mozilla.org/security/announce/2008/mfsa2008-54.html is also in thunderbird21:46
asactbird does http stuff21:46
asace.g. rss feed and so on21:47
asacbut well21:47
asacits ok to not name it21:47
asacor name it ;)21:47
whiteasac: so i guess there are two or three minor issues we don't have in the current round21:47
whitebut all major ones should be there21:47
whiteso we could build the final version now :)21:48
asacnice ... i forgot -59 in iceape ;)21:48
whiteasac: should i restart the build for icedove now? :)21:49
asacwhite: yes if you changed the other multi things.21:49
asacin changelog ... go ahead21:49
asacif you have the builds staged somewhere i can also take a look and test21:50
whiteasac: i am building them on a sec host, but can make them available after build21:50
whiteasac fta: I have added a bzr branch to https://code.launchpad.net/~steffen-joeris/+junk/icedove-3.0, which appears to build here. There are some concerning warnings, but it starts and seems to run22:03
whiteasac fta: i've packed the -source.tar.bz2 into a icedove-3.0_3.0~b1.orig.tar.gz locally (wasn't sure how you wanted it in bzr, if at all)22:04
whitehope it helps somehow22:05
asacwhite: why junk?22:05
asacyou can use the "thunderbird" project22:05
asacbut doesnt matter22:06
asaci can take a look at it as its now22:06
whiteasac: well, you said somewhere on launchpad ;)22:06
asachehe ;)22:06
asacwhite: oh22:06
asacwhite: you have to start with the thunderbird branch22:06
asacand then do the changes on top22:06
asacotherwise you cannot merge in future22:06
asacand dont add the tar ;)22:07
asacjust debian/ in bzr22:07
whiteasac: well i obviously had to rename all the stuff in /debian22:07
asacwhite: thats ok22:07
asacyou can use bzr mv22:07
asacto rename files22:07
asacwe do most things in debian/rules anyway22:07
asacso conflicts should be more or less bearable in future ;)22:08
asacfta: what do you think?22:08
whitethe tarball was kind of important for me as i couldn't get a complete tarball out of mozilla-devscripts :/22:08
asacwhite: yes. but not in the bzr branch ;)22:09
whiteasac: either way, I'll send Noel a mail with some information and a remark to contact you for further cooperation, if he continues to work on it :)22:09
asacyep22:09
ftaasac, sure. i do that quite a lot with all the xul 1.9/1.9.1/1.9.2 branches. bzr mv once then bzr merge22:10
asacfta: yeah. but i mean the filenames in .install will have a different path ... so conflicts will happen for sure22:11
asacdebhelper needs more features ;)22:11
asac(again)22:11
ftabzr seems to remember the mv22:11
asacyes the mv is no problem22:11
asacbut you s/thunderbird/icedove/ in files22:11
asacand then next time you touch them in tbird they conflict (rightfully)22:11
ftayep, some conflicts are expected but it's usually easy to solve22:12
asacdo we need debhelper files at all?22:12
asac;)22:12
asaci am more and more getting a fan of making all paths generic by punching stuff in debian/rules22:12
ftai'm afraid we do need them, too many files22:12
asacthat would help a bunch in rebranding and being downstream and so on22:12
asacyeah ... i think we should do mozhelper though22:13
ftaespecially the splits between several debs22:13
asacand add the generic features required to it22:13
asacwhat i want is easy variables in .install/link/dirs22:13
asacand also .sourcepackage extensions ;)22:13
ftawe could also make all those .in and subst filenames and paths22:14
asacyeah. its just that i get a bad feeling when thinking about templates ;)22:14
asacbut true22:14
asacfta: ah ... but we definitly would need debian/control.sourcepackage22:15
asacits not that easy to replace description and stuff generically22:15
asacwell maybe not "definitly" :)22:15
asaccontrol doesnt change often so branches will have rare conflicts there22:15
asacso no mozhelper, but everything .in :)22:16
ftachanging control is tricky as it's easy to confuse cdbs22:16
asaciceape building ... what a mess :)22:23
ftammmmm, tricky. when I upgrade from X to Y, what is run is "preinst(from-X) upgrade X", so the preinst script knows nothing about Y and doesn't have access to any file of Y22:55
ftaso preinst is not the good candidate22:55
ftaasac, ^^23:03
asacfta: why do you need to know Y from arguments?23:06
asacyou have access to the maintainer scripts23:07
ftathink about X -> Y -> X23:07
asacso you probably have to do templating23:07
asacif you need the version number23:07
asacfta: you mean if Y upgrade is rolled back ? or if you downgrade?23:07
ftadowngraded, like BUGabundo23:08
asacwhy would there be a problem when downgrading?23:09
ftayou start from X, stable, providing /etc/greX23:13
ftayou upgrade to Y, providing /etc/greY23:13
fta  -> preinst install X23:13
fta     -> look for gre files => only /etc/greX, not obsolete, do nothing23:13
fta  -> install /etc/greY => we have 2 gre files23:13
ftayou downgrade to X, providing /etc/greX23:13
fta  -> preinst install Y23:13
fta     -> look for gre files => /etc/greY is obsolete => removed23:13
fta                           => /etc/greX is not obsolete => do nothing23:13
fta  -> install /etc/greY fails as is has been removed by preinst => BINGO23:13
ftaeh23:14
ftathe last 3 lines are reversed X<->Y23:15
ftaasac, http://paste.ubuntu.com/100643/23:17
asac00:13 < fta>   -> preinst install X23:17
asacthis means23:17
asac00:13 < fta>   -> Y.preinst install X23:17
ftano, it's the old preinst23:17
asac      -> look for gre files => only /etc/greX, not obsolete, do nothing23:17
asacthats wrong23:18
asacwhy old preinst?23:18
asacthat isnt called on upgrade at all23:18
ftahttp://www.debian.org/doc/debian-policy/ch-maintainerscripts.html#s-unpackphase23:18
fta   1.23:18
fta      If the package is being upgraded, call23:18
fta           old-postrm upgrade new-version23:18
fta   2.23:18
fta      If this fails, dpkg will attempt:23:18
fta           new-postrm failed-upgrade old-version23:18
asacthats postrm ;)23:18
asacnot preinst23:18
ftaoops23:18
asacso the problem here is that23:18
asac       -> look for gre files => only /etc/greX, not obsolete, do nothing23:19
asacshould do:23:19
ftaat that point, the new gre file is not there yet23:19
asac       -> look for gre files => remove all not /etc/greY23:19
asachmm23:19
ftathere's only the old one23:19
asacyou should just remove /etc/greX and all obsolete ;)23:20
asacyes. the new gre file is /etc/greY23:20
asacthats not needed at that point23:20
asacwe remove "previous" + all obsolete23:20
asacthat should be right23:20
ftabut pkg version != gre version23:21
asacthats for Y.new-preinst upgrade X23:21
ftai can add gre-version in the template and rm obsolete iif != (new) gre-version23:23
ftaasac, who else complain?23:25
asaclool23:25
asacbut that was "just" upgrade/install23:25
ftahm23:25
asache couldnt start after upgrade ... gre missing23:26
asacwe couldnt investigate unfortunately23:26
ftawhich version? 3.0 ?23:26
asacnot sure23:26
ftawhere was that? here?23:27
asacit was before holiday23:27
asaci think in #ubuntu-mobile23:27
ftaDec 17 15:54:51 <lool> Could not find compatible GRE between version 1.9.0.1 and 1.9.0.*.23:28
asacdid we land anything in 1.9 yet at all?23:30
ftaDec 17 15:55:36 <lool>  I'm doing a jaunty dist-upgrade, and it's been 20 minutes that firefox is broken during the upgrade with this message; I wonder why the dep isn't < 1.9.1 as well?23:30
ftaDec 17 16:07:15 <lool>  asac: Working again now; I wonder what broke it23:30
ftaso just during the dist-upgrade23:30
asacoh ;)23:31
asacthanks for being my memory23:31
ftaasac, http://paste.ubuntu.com/100653/ this should fix the bug, but we still have two gre just after a gre bump23:41
ftaasac, got a r+ for mozilla bug 460913 \o/23:44
ubottuMozilla bug 460913 in Build Config "Installer shouldn't copy xulrunner files into Firefox install directory" [Normal,Assigned] http://bugzilla.mozilla.org/show_bug.cgi?id=46091323:44
ftaasac, r- for mozilla bug 41261023:46
ubottuMozilla bug 412610 in Startup and Profile System "MAXPATHLEN too small for glibc's realpath()" [Normal,Resolved: fixed] http://bugzilla.mozilla.org/show_bug.cgi?id=41261023:46

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!