Re: [Bug-gnuzilla] icecat maintenance

[Mark H Weaver]

Antonio Trande <address@hidden> writes:

> Hi Mark.
>
> On 26/12/2017 03:15, Mark H Weaver wrote:
>> Gammel Holte <address@hidden> writes:
>> 
>>> On Thu, Dec 21, 2017 at 5:33 PM, Antonio Trande <address@hidden> wrote:
>>>  Will Icecat be upgraded still?
>>>
>>> I was wondering the same thing. As much as I dislike the latest moves
>>> by Mozilla [1] and as much as I like GNU and IceCat, I'm a bit worried
>>> by the lack of maintenance of the project.
>>>
>>> IceCat is quite lagging behind Firefox ESR now. HEAD is 52.3.0,
>>> whereas Firefox ESR is already at 52.5.2.
>> 
>> I agree that this is a very serious problem.  GNU IceCat is my primary
>> web browser, and I worry a *lot* about computer security.
>> 
>> As defacto maintainer of the IceCat package in GNU Guix, I have a
>> solution for myself and for other GNU Guix users.  Whenever Mozilla
>> issues a security advisory, I search for the associated fixes in the
>> upstream mozilla-esr52 source repository, and apply them to our packages
>> in GNU Guix.  At the time of this writing, we include 69 patches
>> cherry-picked from upstream Firefox ESR, including all fixes from 52.5.2
>> that I deemed to be possibly relevant to security.
>> 
>
> Where do you find all release related patches?

In the upstream mozilla-esr52 source repository.  I cloned the mercurial
repo locally, but the web-based repository browser is here:

  https://hg.mozilla.org/releases/mozilla-esr52/

The Mozilla security advisories list the bug number(s) associated with
each CVE, and the bug numbers are shown in the summary lines of the
upstream changesets.  Here are the advisories for Firefox ESR:

  https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/

I generally look through *all* of the bug fixes from one ESR release to
the next, even the ones that haven't been assigned CVEs.

      Mark