Bug 517856 (xulrunner)

Summary: xulrunner bundles multiple libraries
Product: [Fedora] Fedora Reporter: Jan Lieskovsky <jlieskov>
Component: xulrunnerAssignee: Martin Stransky <stransky>
Status: ASSIGNED --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: a.badger, bugzilla.acct, ddumas, dominik, gecko-bugs-nobody, jkeck, stransky, walters
Target Milestone: ---Keywords: FutureFeature, Reopened, Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-05-09 15:21:22 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 504493    

Description Jan Lieskovsky 2009-08-17 10:08:21 EDT
Description of problem:

The Xulrunner package, as shipped with Fedora 11
(and probably also in rawhide, but didn't check)
(xulrunner-1.9.1.2-1.fc11.x86_64) with Firefox 3.5 
(firefox-3.5.2-2.fc11.x86_64) embeds in it's source rpm
package multiple multimedia libraries:

# pwd
/root/rpmbuild/BUILD/xulrunner-1.9.1.2/mozilla-1.9.1/media

# ls
libfishsound  libogg  liboggplay  liboggz  libsydneyaudio  libtheora  libvorbis

Fedora 11 ships the following system libraries, which Xulrunner requires:
- libfishsound
- libogg
- liboggz
- libtheora
- libvorbis

The embedded libraries use should be prevented. In case
of security vulnerability in some of them (like CVE-2009-2663 was),
the security update requires more effort than needed.

Version-Release number of selected component (if applicable):
xulrunner-1.9.1.2-1.fc11.x86_64


How reproducible:
Always

Steps to Reproduce:
1. Install the xulrunner src.rpm and apply the patches
2. Have a look into BUILD/xulrunner-1.9.1.2/mozilla-1.9.1/media
  
Actual results:
Various multimedia libraries are embedded within xulrunner-1.9.1.2-1.fc11.

Expected results:
The relevant F11's system libraries should be used instead.

Note: Move this bugzilla against Rawhide version, if the issue is still
      present (as i didn't check the rawhide case).
Comment 1 Martin Stransky 2009-09-29 10:18:29 EDT
Hm, looks like the media libraries are built but xulrunner does not link/use them...
Comment 2 Martin Stransky 2009-09-29 10:23:26 EDT
Upstream bug - https://bugzilla.mozilla.org/show_bug.cgi?id=517422
Comment 3 Bug Zapper 2009-11-16 06:30:37 EST
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 4 Toshio Ernie Kuratomi 2010-08-14 15:36:25 EDT
This looks to still be an issue.  Reassigning to rawhide and marking FutureFeature
Comment 5 Toshio Ernie Kuratomi 2010-08-14 15:38:56 EDT
Note that the upstream maintainer is drawing the wrong conclusion from his facts in the bug report.  He says that they often have to cherrypick security fixes for the relevant libraries and therefore unbundling is a detriment.

In reality, for Fedora, we have to apply security fixes for the libraries and for xulrunner so this doubles the amount of work that we must do.  Unbundling is a positive step for us in this regard.
Comment 6 Thom Carlin 2011-02-19 07:50:29 EST
Martin, any updates on this?
Comment 7 Martin Stransky 2011-02-21 04:14:48 EST
Some patch is here - https://bugzilla.mozilla.org/show_bug.cgi?id=551138
Comment 8 Thom Carlin 2011-02-22 13:26:21 EST
It's not clear to me how 551138 applies and 517422 shows no activity since September.  Any estimate on when this will be implemented?  This bug is part of FES ticket 39.
Comment 9 Christopher Aillon 2011-02-22 14:27:35 EST
Patches welcome.
Comment 10 Thom Carlin 2011-03-14 15:41:06 EDT
Any update on this?
Comment 11 Thom Carlin 2011-05-07 11:25:12 EDT
Has there been any change?
Comment 12 Christopher Aillon 2011-05-09 16:42:45 EDT
Have you supplied patches yet?  That would seriously help move this along.

I realize it's an important bug, but nagging every few months isn't really the way to make progress.
Comment 13 Martin Stransky 2013-05-09 15:21:22 EDT
Let's track this one upstream.
Comment 14 Toshio Ernie Kuratomi 2013-05-09 21:05:55 EDT
We're not really setup to do that.  Our tracking bug can't be blocked by the upstream bug, for instance.
Comment 15 Dominik 'Rathann' Mierzejewski 2014-03-07 16:34:47 EST
firefox/xulrunner have a much bigger bundling problem than just a few multimedia libraries. Here's what I found so far:

syntaxhighlighter
------------------
addon-sdk/source/doc/static-files/syntaxhighlighter

jQuery
------
addon-sdk/source/doc/static-files/js/jquery.js
addon-sdk/source/examples/reddit-panel/data/jquery-1.4.4.min.js
addon-sdk/source/examples/annotator/data/jquery-1.4.2.min.js

LibraryDetector
---------------
addon-sdk/source/examples/library-detector/data/library-detector.js

Python Markdown
---------------
addon-sdk/source/python-lib/markdown

simplejson
----------
addon-sdk/source/python-lib/simplejson

Blueprint CSS Framework
-----------------------
build/pgo/blueprint

pymake
------
build/pymake

stlport
-------
build/stlport

webgl conformance suite
-----------------------
content/canvas/test/webgl

sqlite
------
db/sqlite3

browserscope
------------
editor/libeditor/html/tests/browserscope

angle
-----
gfx/angle

cairo+glitz+pixman
------------------
gfx/cairo

graphite2
---------
gfx/graphite2

harfbuzz
--------
gfx/harfbuzz

ots
---
gfx/ots

skia
----
gfx/skia

color conversion code from Chromium
-----------------------------------
gfx/ybcr

hunspell hyphen library
-----------------------
intl/hyphenation

icu
---
intl/icu

TeX hyphenation patterns
------------------------
intl/locales/*/hyphenation

IPC(?) from Chromium
--------------------
ipc/chromium (this bundles libevent and some other 3rd party code)

JS
--
js/ (this bundles libffi, v8, vtune and other 3rd party code)

kissfft
-------
media/kiss_fft

cubeb
-----
media/libcubeb

libjpeg-turbo
-------------
media/libjpeg

nestegg
-------
media/libnestegg

libogg
------
media/libogg

opus
----
media/libopus

libpng
------
media/libpng

soundtouch
----------
media/libsoundtouch

resampler code from libspeex
----------------------------
media/libspeex_resampler

libtheora
---------
media/libtheora

tremor
------
media/libtremor

libvorbis
---------
media/libvorbis

libvpx
------
media/libvpx

nICEr
-----
media/mtransport/third_party/nICEr

nrappkit
--------
media/mtransport/third_party/nrappkit

webrtc
------
media/webrtc (this bundles libyuv)

jemalloc
--------
memory/jemalloc

double-conversion
-----------------
mfbt/double-conversion

freetype
--------
modules/freetype2

bzip2
-----
modules/libbz2

zlib
----
modules/zlib

srtp
----
netwerk/srtp

nspr
----
nsprpub/

7zip
----
other-licenses/7zstub/src

atk
---
other-licenses/atk-1.0/atk

bsdiff
------
other-licenses/bsdiff

ply
---
other-licenses/ply

snappy
------
other-licenses/snappy

expat
-----
parser/expat/lib

python-blessings
----------------
python/blessings

python-mock
-----------
python/mock-1.0.0

psutil
------
python/psutil

python-virtualenv
-----------------
python/virtualenv

python-which
------------
python/which

nss
---
security/nss

sandbox from Chromium
---------------------
security/sandbox

pywebsocket
-----------
testing/mochitest/pywebsocket

iniparser
---------
testing/mozbase/mozprocess/tests/iniparser

node-spdy
---------
testing/xpcshell/node-spdy

google-breakpad
---------------
toolkit/crashreporter/google-breakpad

acorn
-----
toolkit/devtools/acorn
Comment 16 Martin Stransky 2014-03-10 05:33:40 EDT
Yes, that's correct. 

Firefox bundles insane amount of libraries and 3rd party code. But we (Fedora Firefox team) does not have time to work on that, beside the fact that many of the bundled libraries contains mozilla specific patches.

So if anyone wants to contribute here I'm glad to help to submit his/her patches upstream but that's all what we can do for now.