On Thu, Sep 30, 2010 at 1:09 PM, Christopher Aillon <caillon@xxxxxxxxxx> wrote: > On 09/30/2010 05:19 AM, Sven Lankes wrote: >> On Thu, Sep 30, 2010 at 06:37:33PM +0900, Takanori MATSUURA wrote: >> >>> If someone implement >>> --enable-system-libvpx >>> --enable-system-vorbis >>> --enable-system-ogg >>> --enable-system-theora >>> into the mozilla source, we can easily remove source for the >>> libraries. And Fedora will be happy. :-) >> >> https://bugzilla.mozilla.org/show_bug.cgi?id=577653 >> >> Looking at how rigorous new packages with bundled libs are fought we >> should really stop shipping firefox and start shipping Iceweasel. > > I personally don't care what we call it. ÂI'm not going to start > breaking funny cat videos just to meet packaging ideals on a deadline. > I'd rather deal with all you guys complaining on fedora-devel and in > fesco tickets than the influx of bugs if I started breaking shit. ÂIt's > bad enough that there are more bugs than we can handle. ÂBesides, > Mozilla has a good track record of allowing system libs after things > settle down, and I have no doubt that we'll get these at some point. > > ÂFrom Mozilla's perspective, they could: > > 1. Do what they are doing now, temporarily not allow a few new system > libs, waiting until they get banged into shape and *then* enable system > libs (down the road). > 2. Bang on the code in private and wait until it meets every Fedora > packaging guideline, etc, until committing to the upstream repository, > so we all get to wait for all of the cool shit that's happening. > > Please note that we're talking about pre-release versions of Firefox in > a pre-release version of Fedora anyway, so a lot of churn is to be > expected. ÂWe're almost certainly going to have to temporarily disable > and reenable a lot of other system libs during the beta cycles to get > builds out the door, just like we always do in rawhide. ÂNot that I can > guarantee that the release version will have all the above system libs > enabled, but we'll know a lot more closer to FF4 and F15 release time. I yelled pretty loudly when Fedora first packaged libvpx because fedora took a _known vulnerable_ version which Mozilla and opera were patching around but where the upstream hadn't yet merged the fixes. Things are more mature now but there are still somewhat scary fixes happening, at least with the platform dependant code: https://review.webmproject.org/#change,603 Mozilla being a vector for the widescale exploitation would be terrible for their imageâ and also terrible for Fedora's, we really don't want to create our own version of the debian openssl rng bug. There really is a common interest here and the folks on the Mozilla side are better informed about the risks. The patches mozilla is carrying are visible as files in the respective directories here: http://mxr.mozilla.org/mozilla-central/source/media/ I'd suggest that fedora folks interested in the bundling help by making sure that the applicable fixes make it upstream. Even if Fedora were to ditch the trademarks you couldn't escape doing this work. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel