-
-
Notifications
You must be signed in to change notification settings - Fork 14.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove end-of-life spidermonkey versions (78, 91, 102) #157874
Comments
Here's the other packages that I've been monitoring:
|
I'd like to remind the people here that branch-off is scheduled for tomorrow and depending on how good the staging builds progress, we will branch off rather soon. |
cjs seems to be the limiting factor. I think libproxy has not been
correctly configuring spidermonkey so it could just be removed as a
dependency and no functionality would change.
91.9.1 is actually the first version I've seen that unequivocally deals
with a spidermonkey defect as the CVE, and unless that was a recent
regression it therefore means clearly insecure EOL versions. It would make
sense to isolate the usage of 78 to dependents that can be confirmed to
require no sandboxing ( or other separation of privileges) and otherwise
mark it insecure?
I have no access to a normal computer this weekend though so I probably
can't try anything ahead of the release.
…On Sat, 21 May 2022, 19:07 Janne Heß, ***@***.***> wrote:
I'd like to remind the people here that branch-off is scheduled for
tomorrow and depending on how good the staging builds progress, we will
branch off rather soon.
—
Reply to this email directly, view it on GitHub
<#157874 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAK3LPM7SJT7JS5A5WYHDWTVLEJ37ANCNFSM5NMX6W5Q>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Unrealistic to achieve and postponed to the 22.11 release cycle. Thanks for your research and documentation on the topic! |
libproxy could now be moved of 78 but cjs remains a problem as well as some other dependents. |
see #181917 |
Polkit done in #181264. |
I guess we can now remove |
#182618 updates gjs |
|
It's not possible for 0ad unfortunately. The versions of spidermonkey have to match between clients, and we can't rely on other clients using the same version. AFAIK there are also no patches written yet for compatibility with 102. |
Cinnamon 5.8 & CJS 5.8 bump (should use spidermonkey_102) |
The 102 series will go EOL on 2023-08-29. The 115 series will be released in early July. https://whattrainisitnow.com/calendar/ |
The next GJS (>= 1.77.2, as part of GNOME 45) will depend on spidermonkey 115 |
@chvp Please can you inline spidermonkey_78 inside 0ad? We will drop it officially but you can keep using it as the sole consumer of this package. @puffnfresh Can you consider what it takes to move away from spidermonkey 102 in jsawk? Thanks! @aforemny @jfrankenau Can you consider what it takes to move away from spidermonkey 102 in plowshare? Thanks! I guess, we will have spidermonkey 102 for NixOS 23.11, but we can remove any public use of the previous versions IMHO by inlining 78 (0ad) & 91 (CouchDB 3.x) to their call site. |
I'm not convinced inlining is a good solution to this problem. It's not like we are getting new consumers of EOL spidermonkey versions regularly. |
It's not a permanent solution to the problem, it's a "let's erase them from the top-level" temporary solution. |
Both of these just call the |
Spidermonkey is likely affected by GHSA-gv5g-5832-j3rm, GHSA-cm37-53wc-mx6g, so please evaluate whether your applications could be affected by that. I'm inclined to mark versions older than 115 as known vulnerable at some point. |
0ad should not be affected, no remote JS is loaded. |
The patches are mozilla/gecko-dev@81806e7 and mozilla/gecko-dev@afbdf68 according to the bug ID I think. It looks like |
This comment was marked as outdated.
This comment was marked as outdated.
Cinnamon 6.2 and CJS 6.2 bump (should use spidermonkey_115) |
The next version of 0ad will support a newer version of spidermonkey - unfortunately only 91 but then we can drop 78: 0ad/0ad@9513e7e |
That is so very cool of them, now that 128 ESR is released. 🤦 |
Next version of CouchDB will have support for QuickJS: apache/couchdb#4627 |
#333028 packages |
Both package have reached their end of life together with their respective firefox versions and should be removed before NixOS 22.05.
spidermonkey_68: drop #153451spidermonkey_68
:spidermonkey_78
: EOL since 2021/11spidermonkey_91
: EOL since 2022/09spidermonkey_102
: EOL since 2023/09https://endoflife.date/firefox
@lostnet @abbradar @ajs124
The text was updated successfully, but these errors were encountered: