From owner-freebsd-gecko@freebsd.org Sun Mar 29 19:13:31 2020 Return-Path: Delivered-To: freebsd-gecko@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B5EDE2A7B9E for ; Sun, 29 Mar 2020 19:13:31 +0000 (UTC) (envelope-from jbeich@freebsd.org) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 48r4xj5XB1z444r for ; Sun, 29 Mar 2020 19:13:29 +0000 (UTC) (envelope-from jbeich@freebsd.org) Received: by mailman.nyi.freebsd.org (Postfix) id AF0F22A7B9D; Sun, 29 Mar 2020 19:13:22 +0000 (UTC) Delivered-To: gecko@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id AEC0E2A7B9C for ; Sun, 29 Mar 2020 19:13:22 +0000 (UTC) (envelope-from jbeich@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48r4xW6Lwtz441h; Sun, 29 Mar 2020 19:13:19 +0000 (UTC) (envelope-from jbeich@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1354) id 532151B298; Sun, 29 Mar 2020 19:13:11 +0000 (UTC) From: Jan Beich To: "Mikhail T." Cc: gecko@freebsd.org Subject: Re: Restoring seamonkey References: <857ef528-1dfd-12b6-6579-b03a137ff199@aldan.algebra.com> <9a797087-e769-3c50-3032-c71b41fab823@aldan.algebra.com> <4ku8-x9zl-wny@FreeBSD.org> Date: Sun, 29 Mar 2020 21:13:10 +0200 In-Reply-To: (Mikhail T.'s message of "Sun, 29 Mar 2020 11:25:11 -0400") Message-ID: MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: freebsd-gecko@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gecko Rendering Engine issues List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Mar 2020 19:13:31 -0000 "Mikhail T." writes: > On 28.03.20 20:47, Jan Beich wrote: > >> Lack of the homework. > > I really don't understand this, Jan... Let's replay: > > 1. I wanted to install Seamonkey on a system I'm dressing up, and > found, that the port is no longer available. > 2. I looked for the final commit-message, and found: > 1. it was deleted by you, last year; > 2. it was deleted for lack of updates. 3. It was deleted due to being perma-vulnerable. 4. It was deleted because of crashes on amd64 when built by Clang 8. 5. It was deleted because it blocked bsd.gecko.mk cleanup. > 3. So, I looked at the upstream's site, and found, that they've made > several releases since then, most recent -- last month. 2.49.5 was released too late while 2.53.1 was vulnerable since release. 2.53.1 is based on ESR60 which is no longer supported by bsd.gecko.mk. https://svnweb.freebsd.org/changeset/ports/511274 > 4. I then wrote you an e-mail inquiring, if the port can be restored... Did you try to build 2.53.1 before writing the email? > Do the 2. and the 3. not qualify as "homework"? What more should I > have done before approaching you for comment? Work with upstream to fix FreeBSD-specific regressions e.g., https://bugzilla.mozilla.org/show_bug.cgi?id=1437670 >> Patches do the talking better. > So, you're angry at me for not doing the work, which you're trying to > dissuade me from doing in the first place? If you don't use bsd.gecko.mk then the revived www/seamonkey wouldn't complicate maintenance of www/firefox + mail/thunderbird. And having a separate maintainer would keep the port under care of a specific person instead of dumping the work on a non-functional team at first opportunity. >> According to SeaMonkey 2.53.1 release notes the engine was updated to >> Firefox 60.2ser with security fixes up to Firefox 72. Current version of >> Firefox is 74 while 75 is expected next week. Finding applicable >> vulnerabilities requires checking the code e.g., trying every fix >> against SeaMonkey tree but assuming some rebase churn. > > So, your earlier statement about it still being vulnerable is not > based on any such research, and cannot be substantiated?.. I'm not a security researcher and don't have access to restricted bugs. Here're a few candidates from a cursory look: - https://hg.mozilla.org/releases/mozilla-release/rev/e50b821c8747 is part of CVE-2020-6800 which applies as is to SeaMonkey 2.53.1. - https://hg.mozilla.org/releases/mozilla-release/rev/c7545f9cfe8f is part of CVE-2020-6798 which needs minor rebase to apply to SeaMonkey 2.53.1. - https://hg.mozilla.org/releases/mozilla-release/rev/23240642f474 is part of CVE-2019-20503 which needs minor rebase to apply to SeaMonkey 2.53.1. - https://hg.mozilla.org/releases/mozilla-release/rev/90e3d7f045bd is part of CVE-2020-6814 which needs minor rebase to apply to SeaMonkey 2.53.1. Thanks to https://wiki.mozilla.org/Security/Bug_Approval_Process obfuscation not all fixes for CVEs are easy to find.