- Package:
- src:firefox-esr
- Source:
- firefox-esr
- Submitter:
- "Bastien Roucariès"
- Date:
- 2023-02-27 21:45:04 UTC
- Severity:
- serious
- Tags:
Hi, By default firefox does not allow symlink in system extension. It is really bad from the point of view of the javascript team, from a point of view of maintenability and security... Chrome allow symlink BTW. Maintainer do a copy of each javascript file instead at build time (they do not use trigger....) I found this bug during a lintian audit of embdeded javascript pacakge. This is not documented and I do know if security team is aware of this. Firefox upstream recommand to use packaged and signed extension. It is worse from the point of view of the javascript team because it will need binNMU of arch all file, that is not implemented. Therefore, could we recover the old system of working symlink ? We have now salsa to test regression and it could be safe. Bastien
control: reassign -1 src:firefox-esr
Control: severity -1 normal While the lack of arch: all binNMUs is annoying, it can be worked around. Also, looking at the current set of xul-ext-* extensions, none of them seem to suffer from any of the above issues. So I don't see a reason for this bug to have serious severity. Cheers
Dear Maintainer,
punycode is still here duplicated from libjs-punycode...
webext-noscript: /usr/share/webext/noscript/lib/punycode.js
webext-noscript: /usr/share/webext/noscript/lib/punycode.js.LICENSE.txt
webext-ublock-origin-chromium: /usr/share/chromium/extensions/ublock-
origin/lib/punycode.js
webext-ublock-origin-firefox:
/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/uBlock0@raymondhill.net/lib/punycode.js
webext-umatrix: /usr/share/webext/umatrix/lib/punycode.js
They are other and this should be avoided
Bastien