Re: [Bug-gnuzilla] [Slackbuilds-users] icecat 38.8.0 crashes

[Ivan Zaigralin]

Personally, I am somewhat unhappy about the gnuzilla update/security policy. 
The move to forties apparently is not happening because it breaks saved cookie 
preferences or something, but I have to question the wisdom of withholding 
fixes for remote code execution because of that.

Having said that, I think we need to take a few factors into consideration. 
First of all, it's not gnuzilla's fault firefox is so insequre, it's mozilla's 
fault. This browser has like a million holes in it, and may be the most 
updated package in Slackware. Lagging a few releases behind sucks, especially 
when the bugs are made public, but at the same time it looks like every 
firefox release in the last few years had terrible security holes in it, so I 
don't really feel that much safer using the latest version, and neither should 
you. If security is very important to a user, it may be prudent to switch 
browsers.

Also, gnuzilla has a mission and a goal, and mozilla is not making it easy. 
They keep putting more and more ugly stuff into firefox and changing the 
security policy, like with the cookies above, while gnuzilla team is committed 
to releasing a product which meets their rather high standards. As a volunteer 
effort, they've done great, and it would be completely unfair to chastise them 
for lagging behind mozilla, since gnizilla are not the ones breaking it it 
every release cycle. 

Finally, I believe there is a niche opening up for a firefox-based browser 
which is libre and meets free software distrubution guidelines like icecat, 
but has no extra privacy features, and passes all the mozilla pearls onto the 
users. Such minimal deblobbing could be potentially more robust: that is, new 
releases could be churned out as quickly and reliably as linux-libre. Looking 
at Parabola's thunderbird & seamonkey builds, I imagine something like that 
could be done for firefox as well. Anyone can step in and claim the glory for 
this one :) I don't have time to write a slackbuild like that and run it by 
FSF, but if anyone did it, I think I would actually switch.

On Tuesday, August 16, 2016 09:57:03 address@hidden wrote:
> Good morning
> 
> Having got latest Icecat building with the -Os switch, it seems there are
> some reports of [serious?] security issues with it.
> 
> Here is where I first read something:
> https://lists.gnu.org/archive/html/bug-gnuzilla/2016-08/msg00000.html
> 
> And I have seen further discussion and consternation about what to do with
> Icecat and perhaps not using Firefox as base etc.  I'm really relatively
> only a 'user' so to speak, so I'm interested to know what others feel....is
> there a serious security risk ?
> 
> I realise this is SBo and not an Icecat forum,  but I wonder what the
> contributors (and maintainer) on SBo feel about the reports being made;
> should it affect whether Icecat is on SBo if its known to be 'risky', or
> does it not matter, should comments be made [in the info] or is it up to
> anyone wanting to use it to be self-aware and generally any other comments
> to share.
> 
> If this list really is inappropriate for posts like this (whatever 'this'
> is), then just let me know.....but I would be interested in what more
> knowledgeable people on SBo feel ?
> 
> 
> Thank you and good day to all.
> Habs
> 
> On 8 August 2016 at 23:16, <address@hidden> wrote:
> > hi there all
> > 
> > I have tried the -Os switch and it does appear to remedy the problem.
> > Icecat no longer crashes in the scenario(s) I have documented.
> > 
> > I wonder what the -O2 switch does differently to the -Os one.
> > 
> > So for now that does appear to be the 'fix'. Thank you all.
> > 
> > 
> > Habs
> > 
> > On 8 August 2016 at 20:36, Ryan P.C. McQuen <address@hidden> wrote:
> >> On Monday, August 8, 2016, Ivan Zaigralin <address@hidden> wrote:
> >>> I still can't replicate any crash whatsoever, even in places where
> >>> others
> >>> report them. However, Matt tells me that crashes went away after he
> >>> rebuilt
> >>> with -Os. He also mentioned he's got an AMD Phenom, whereas I am using
> >>> Intel
> >>> CPU, which may explain why I am unable to hit this snag.
> >>> 
> >>> I can certainly submit a fixed SlackBuild if there's a consensus -Os is
> >>> an
> >>> effective fix. Please let me know :)
> >> 
> >> Seems like that would be valid, since Slackware's own Firefox build was
> >> passing that for version 43, and only removed it for versions past 43:
> >> 
> >> (Changelog reference):
> >> 
> >> Wed Dec 23 22:44:58 UTC 2015
> >> a/lvm2-2.02.138-i586-1.txz: Upgraded.
> >> ap/ghostscript-9.18-i586-1.txz: Upgraded.
> >> ap/lsof-4.89-i586-1.txz: Upgraded.
> >> l/pycups-1.9.73-i586-1.txz: Upgraded.
> >> l/pycurl-7.19.5.3-i586-1.txz: Upgraded.
> >> n/NetworkManager-1.0.10-i586-1.txz: Upgraded.
> >> n/curl-7.46.0-i586-1.txz: Upgraded.
> >> n/links-2.12-i586-1.txz: Upgraded.
> >> n/obexfs-0.12-i486-1.txz: Removed.
> >> 
> >>        This functionality is now included in the obexftp package.
> >> 
> >> n/obexftp-0.24-i586-1.txz: Upgraded.
> >> 
> >>        Thanks to Robby Workman.
> >> 
> >> n/openobex-1.7.1-i586-1.txz: Upgraded.
> >> 
> >>        Thanks to Robby Workman.
> >> 
> >> n/rsync-3.1.2-i586-1.txz: Upgraded.
> >> x/libXi-1.7.6-i586-1.txz: Upgraded.
> >> x/pixman-0.33.6-i586-1.txz: Upgraded.
> >> x/xorg-cf-files-1.0.6-noarch-1.txz: Upgraded.
> >> xap/mozilla-firefox-43.0.2-i586-2.txz: Rebuilt.
> >> 
> >>        Compile with -Os instead of -O2 to work around crash issues.
> >>        Recent betas are working fine with -O2, so we'll probably be
> >>        able to switch back to that again soon. Thanks to j_v.
> >> 
> >> --
> >> -Ryan
> >> [ryanpcmcquen.org]
> >> 
> >> 
> >> _______________________________________________
> >> SlackBuilds-users mailing list
> >> address@hidden
> >> http://lists.slackbuilds.org/mailman/listinfo/slackbuilds-users
> >> Archives - https://lists.slackbuilds.org/pipermail/slackbuilds-users/
> >> FAQ - https://slackbuilds.org/faq/

signature.asc
Description: This is a digitally signed message part.