[Bug 261410] www/firefox: Update to 96.0.3 (unfixed security vulnerabilities)

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 28 Jan 2022 15:53:56 UTC

Jan Beich <jbeich@FreeBSD.org> changed:

           What    |Removed                     |Added
 Attachment #231401|maintainer-approval?(gecko@ |maintainer-approval+
              Flags|FreeBSD.org)                |

--- Comment #11 from Jan Beich <jbeich@FreeBSD.org> ---
Comment on attachment 231401
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=231401
v1.0 (zstd, git)

Awesome work! Looks generally fine. Some nitpicks:

> -		harfbuzz>=2.9.1:print/harfbuzz \
> +		harfbuzz>=2.7.4:print/harfbuzz \

Firefox 96 bundles harfbuzz 3.1.2, so the version check in
files/patch-bug847568 is stale


> -		libvpx>=1.8.2:multimedia/libvpx \
> +		libvpx>=1.8.0:multimedia/libvpx \

Firefox 96 bundles libvpx 1.8.2, so upstream version check in
toolkit/moz.configure is stale


> -index 75c2c5e435e35..4d8c09c02759b 100644
> +index af08811..77a3b18 100644

(Cosmetic) "git add -p" makes it easy to skip such noise.

> -@@ -39,7 +39,7 @@ pref("extensions.postDownloadThirdPartyPrompt", true);
> +@@ -38,7 +38,7 @@ pref("extensions.postDownloadThirdPartyPrompt", true);

(Cosmetic) When only offset changes but context (surrounding lines) remains the
same regenerating diffs can be skipped.

> diff --git gfx/2d/DrawTargetSkia.cpp gfx/2d/DrawTargetSkia.cpp

(Cosmetic) Sorting by Git kinda obfuscates what has really changed.

> +--- config/makefiles/rust.mk.orig      2020-05-12 09:36:22 UTC

(Cosmetic) Don't keep garbage from the old version.

> +Subject: [PATCH] Backport OpenBSD changes from 97 and WEBRTC_BSD, regen
> + gn+manifest for amd64 and i386 (actually, i686 with -msse2)

PkgSrc version for comparison:
Curiously, Firefox < 96 had x64*dragonfly.json but wasn't used due to

> dom/media/webrtc/third_party_build/gn-configs/x64_False_x64_freebsd.json

gn-configs/ and BUILD.gn aren't used during Firefox build, only to generate
moz.build in a separate step.
Dropping those will shrink patch-webrtc by 92% i.e., from 9.7 MiB to 698 KiB

> ++  # Comment-out rustup on aarch64; no binary rustup for FreeBSD/aarch64

Confusing wording. "Comment-out" -> "Commented out" and ";" -> ":"

i686 works on x86_64 via rustup due to /usr/lib32 but aarch64 libs aren't
installed on x86_64 by default. Partial --sysroot can help e.g.,

  $ fetch https://pkg.freebsd.org/FreeBSD:14:aarch64/latest/All/rust-1.58.0.pkg
  $ tar xf rust-1.58.0.pkg
  $ cp -a ./usr/local/lib/rustlib/*-unknown-freebsd /usr/local/lib/rustlib/

  $ echo 'fn main() {}' >foo.rs
  $ rustc --target=aarch64-unknown-freebsd foo.rs
  error: linking with `cc` failed: exit status: 1
    = note: ld: error: foo.foo.32c0c825-cgu.0.rcgu.o is incompatible with
            ld: error: foo.foo.32c0c825-cgu.1.rcgu.o is incompatible with
            ld: error: foo.foo.32c0c825-cgu.2.rcgu.o is incompatible with
            ld: error: foo.foo.32c0c825-cgu.3.rcgu.o is incompatible with
            ld: error: foo.foo.32c0c825-cgu.4.rcgu.o is incompatible with
            ld: error: foo.foo.32c0c825-cgu.5.rcgu.o is incompatible with
            ld: error: foo.foo.32c0c825-cgu.6.rcgu.o is incompatible with
            ld: error: foo.50rnet0thytpgybx.rcgu.o is incompatible with
            cc: error: linker command failed with exit code 1 (use -v to see
  $ rustc -C link-args="--sysroot /poudriere/jails/main-aarch64"
--target=aarch64-unknown-freebsd foo.rs
  $ file foo
  foo: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (FreeBSD),
dynamically linked, interpreter /libexec/ld-elf.so.1, FreeBSD-style, with
debug_info, not stripped

  $ cargo new --bin bar
  $ cd bar
  $ export RUSTFLAGS='-C link-arg=--sysroot -C
link-arg=/poudriere/jails/main-aarch64 --target=aarch64-unknown-freebsd'
  $ cargo build
  $ file target/debug/bar
  target/debug/bar: ELF 64-bit LSB pie executable, ARM aarch64, version 1
(FreeBSD), dynamically linked, interpreter /libexec/ld-elf.so.1, FreeBSD-style,
with debug_info, not stripped

You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.