Date: Sun, 24 Apr 2016 21:40:37 +0200 From: Tijl Coosemans <tijl@FreeBSD.org> To: Jan Beich <jbeich@FreeBSD.org> Cc: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: Re: svn commit: r413726 - in head: Mk/Uses www/firefox www/firefox-esr www/firefox-esr-i18n www/firefox-esr/files www/firefox-i18n www/firefox/files www/libxul www/libxul/files www/linux-firefox Message-ID: <20160424214037.78dfeb4f@kalimero.tijl.coosemans.org> In-Reply-To: <k2jn-6jyr-wny@vfemail.net> References: <201604211118.u3LBIDqo045010@repo.freebsd.org> <20160424153714.78a11f70@kalimero.tijl.coosemans.org> <k2jn-6jyr-wny@vfemail.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 24 Apr 2016 18:38:04 +0200 Jan Beich <jbeich@FreeBSD.org> wrote: > Tijl Coosemans <tijl@FreeBSD.org> writes: >> On Thu, 21 Apr 2016 11:18:13 +0000 (UTC) Jan Beich <jbeich@FreeBSD.org> wrote: >>> Author: jbeich >>> Date: Thu Apr 21 11:18:13 2016 >>> New Revision: 413726 >>> URL: https://svnweb.freebsd.org/changeset/ports/413726 >>> >>> Log: >>> www/firefox{,-esr}: update to 46.0 (rc4) / 45.1esr >> >> I don't think you should commit release candidates to the main port. > > Firefox release candidates are not of beta quality, especially less than > a week before the (scheduled) announcement. At this point anything not > found during beta lifecycle is likely specific to FreeBSD or the port > (e.g. patches, configure options). For one, OMTC crashes weren't noticed > before firefox 40.0 merged to /head. If you fear stability issues switch > to www/firefox-esr. > > There's also a vulnerability window 1-2 weeks before each release when > security fixes have landed but not yet propagated to users. One way to > find them is to look for commits associated with "access denied" bugs, > except those hiding corporate details. Mozilla wants downstream to get > the fixes on the release day but given FreeBSD is Tier3 platform > (i.e. regressions don't block) we won't get them unless pkg.freebsd.org > is given a few days to build. I understand this so I won't push it, but I still disagree. I know release candidates are better than beta, but they aren't releases. They are not meant for production use yet. Upstream does not push them to their users and neither should we. Imagine if we pushed release candidates for all ports. I don't think it would be appreciated. >> Create www/firefox-beta for that or something. > > Who is going to use it? Why should I care about the rest of gecko@ then? > www/firefox-nightly would be more interesting but I've burnt out > maintaining it once and not confident this won't repeat. I assumed you committed the release candidate because you wanted some users to test it. >>> Changes: https://www.mozilla.org/firefox/46.0/releasenotes/ >>> Changes: https://www.mozilla.org/firefox/45.1.0/releasenotes/ >>> Security: 92d44f83-a7bf-41cf-91ee-3d1b8ecf579f >> >> What does this number refer to? > > "Reserved" in the spirit of CVEs. ;) That VuXML entry will be populated > once the new batch of MFSAs is published with 46.0 release announcement. Maybe you can already create the vuxml entry and modify it when the advisories are published.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160424214037.78dfeb4f>