Hi.

Would be good to see 101 packaged ASAP, as it fixes numerous issues,
including some which are apparently thought to allow remote code
execution.


Cheers,
Chris.

close 1012275 101.0-1
thanks

 ❦  3 June 2022 20:48 +02, Salvatore Bonaccorso:

Unfortunately, Firefox is not buildable due to depending on a version of
Cargo not available in unstable.

Shouldn't that be reopened then?

I wouldn't be surprised if quite a number of people use the non ESR FF,
probably also DDs/DMs.

And because of rust deps, it seems to happen more often now, that
security critical upgrades cannot enter unstable. (And yes I'm well
aware, that unstable has no official security support, but still).


Cheers,
Chris.

reopen 1012275
tags 1012275 patch


Hi,

On Sun, 05 Jun 2022 23:46:25 +0200 Christoph Anton Mitterer <calestyo@scientia.org> wrote:

I am not sure though why the packaging requires a newer cargo version
then available from unstable and not just a newer rustc version, I
tried lowering the required version (see patch below) and it builds
just fine for me.


Cheers,
Julian


Patch:

diff -upNr a/debian/control b/debian/control
--- a/debian/control	2022-05-31 23:07:37.000000000 +0200
+++ b/debian/control	2022-06-06 13:50:48.239713566 +0200
@@ -28,7 +28,7 @@ Build-Depends: autotools-dev,
                yasm,
                nasm (>= 2.14) [amd64 i386],
                rustc (>= 1.59),
-               cargo (>= 0.60),
+               cargo (>= 0.57),
                llvm-dev,
                libclang-dev,
                clang,
diff -upNr a/debian/control.in b/debian/control.in
--- a/debian/control.in	2022-05-31 23:04:04.000000000 +0200
+++ b/debian/control.in	2022-06-06 13:51:17.093109680 +0200
@@ -51,9 +51,9 @@ Build-Depends: autotools-dev,
                rustc (>= 1.59),
 %endif
 %if DIST == bullseye || DIST == buster || DIST == stretch
-               cargo-mozilla (>= 0.60),
+               cargo-mozilla (>= 0.57),
 %else
-               cargo (>= 0.60),
+               cargo (>= 0.57),
 %endif
 %if DIST == stretch
                gcc-mozilla (>= 7.1),
diff -upNr a/debian/patches/debian-hacks/Lower-cargo-version.patch b/debian/patches/debian-hacks/Lower-cargo-version.patch
--- a/debian/patches/debian-hacks/Lower-cargo-version.patch	1970-01-01 01:00:00.000000000 +0100
+++ b/debian/patches/debian-hacks/Lower-cargo-version.patch	2022-06-06 14:13:11.030629556 +0200
@@ -0,0 +1,13 @@
+diff --git a/python/mozboot/mozboot/util.py b/python/mozboot/mozboot/util.py
+index 86720993d0..fdbf48f3ed 100644
+--- a/python/mozboot/mozboot/util.py
++++ b/python/mozboot/mozboot/util.py
+@@ -23,7 +23,7 @@ if sys.version_info < (3,):
+ else:
+     from urllib.request import urlopen
+
+-MINIMUM_RUST_VERSION = "1.59.0"
++MINIMUM_RUST_VERSION = "1.56.0"
+
+
+ def get_tools_dir(srcdir=False):
diff -upNr a/debian/patches/series b/debian/patches/series
--- a/debian/patches/series	2022-05-31 22:51:42.000000000 +0200
+++ b/debian/patches/series	2022-06-06 14:13:27.027350785 +0200
@@ -17,3 +17,4 @@ debian-hacks/Avoid-using-vmrs-vmsr-on-ar
 debian-hacks/Use-build-id-as-langpack-version-for-reproducibility.patch
 debian-hacks/Allow-to-build-with-older-versions-of-nodejs-10.patch
 debian-hacks/Fix-math_private.h-for-i386-FTBFS.patch
+debian-hacks/Lower-cargo-version.patch

Could someone then possibly rebuild this with Julian’s patch, ASAP?

Over a week with a likely remote code exploit hole in the browser of
any Debian (non-ESR) FF user, seems not so ideal,

Thanks,
Chris.

There's a 101.0.1 on the way.

I assume you mean "being built for Debian"?

Anyway... thanks for taking care. :-)

Cheers,
Chris.