gnuzilla-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Switching GNU IceCat to follow upstream candidates (Amin Bandali)

From: Mark H Weaver
Subject: Re: Switching GNU IceCat to follow upstream candidates (Amin Bandali)
Date: Wed, 21 Feb 2024 12:55:38 -0500 
Hi Adam,

Adam Faiz <adam.faiz@disroot.org> writes:
> Would other big changes to IceCat be accepted? I sent my ideas for the
> roadmap about 2 years ago but I got no feedback:
> https://lists.gnu.org/archive/html/gnuzilla-dev/2022-12/msg00000.html

The only specific suggestion I see there is to add support for
unbundling many of the libraries that are currently bundled by upstream
Firefox.  In the past, I made some efforts along these lines in the Guix
packaging for IceCat, and some vestigial remnants of those efforts still
remain in the Guix repository, although they are long unused.

  
https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/patches/icecat-use-system-graphite2+harfbuzz.patch?id=5e66832ad47a2f4222ccf681c39266cfc9fc1f15
  
https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/patches/icecat-use-system-media-libs.patch?id=5e66832ad47a2f4222ccf681c39266cfc9fc1f15
   

With the update to IceCat 102, I found that these patches no longer
applied, and since then, I've not found the time/energy/interest to
maintain them.

Moreover, even if volunteers showed up to keep patches like these
"working", by which I mean "not obviously broken", there's another
question worth asking: would we be unintentionally introducing security
vulnerabilities by unbundling these libraries?  It's not a trivial
question to answer.  At minimum, I would want us to keep a close eye on
any security fixes applied to the bundled libraries, and implement
checks to make sure that the system libraries used by IceCat also
included those fixes.  This job is made more difficult by the fact that
not all fixes to bundled libraries that have security implications will
be explicitly identified as security fixes, because in general it is
nontrivial to find out whether any given bug can be exploited.

In my opinion, the IceCat project does not, at this time, have enough
developer energy to take on the job of maintaining patches such as
these.  I welcome other opinions.

      Regards,
        Mark
reply via email to
[Prev in Thread] Current Thread [Next in Thread]