Site Navigation

Date:      Thu, 27 Apr 2017 14:41:40 +0200
From:      Jan Beich <jbeich@FreeBSD.org>
To:        Tommi Pernila <tommi.pernila@iki.fi>
Cc:        gecko@freebsd.org
Subject:   Re: FreeBSD ports - Thunderbird and Firefox / Firefox-ESR
Message-ID:  <wpa6-ja4b-wny@FreeBSD.org>
References:  <CABHD1wQNJ%2BYtWLd--kaEroQ9tWCtNdBHLAB6uVCrq6LACUaX7g@mail.gmail.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

Tommi Pernila <tommi.pernila@iki.fi> writes:

> I use these ports daily and i compile them with a few custom flags/settings
> with poudriere. ( the most notable being DEFAULT_VERSION+=ssl=libressl )
>
> So would you need help with testing these?

Aren't you already testing? Also, gecko@ ports use NSS instead of
(Open|Libre|Boring)SSL.

> Also how could I help to get the the latest versions to the ports tree
> as fast as possible.

By improving FreeBSD support upstream, reporting regressions early.
For one, try building Firefox Nightly

   $ pkg install python27
   $ hash git 2>/dev/null || pkg install mercurial
   $ hg clone https://hg.mozilla.org/mozilla-unified firefox ||
     git clone https://github.com/mozilla/gecko-dev firefox
   $ cd firefox
   $ ./mach bootstrap # select Firefox for Desktop
   $ ./mach build
   $ ./mach run
   $ ./mach package

or run a build for 12.0-CURRENT amd64 from

http://buildbot.rhaalovely.net/builds/

> As most of the updates now days are about security vulnerabilities.

Firefox in multiprocess mode supports sandboxing content process,
plugins (NPAPI and GMP). This is implemented only for Tier1 platforms.
On Tier3 platforms like FreeBSD running Firefox with unpatched
vulnerabilities is less secure.

https://wiki.mozilla.org/Security/Sandbox
https://wiki.freebsd.org/Capsicum

> As I'm working in IT security field, so i don't want to get bitten with a
> public vulnerability ;)

Relying solely on VuXML is a recipe to get bitten e.g.,

https://security-tracker.debian.org/tracker/source-package/audiofile
https://security-tracker.debian.org/tracker/source-package/jasper
https://security-tracker.debian.org/tracker/source-package/imagemagick
https://security-tracker.debian.org/tracker/source-package/zziplib

but the effort to automatically query CVE database seems to have stalled.

https://wiki.freebsd.org/Ports/CPE

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?wpa6-ja4b-wny>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact