Description of problem: The Xulrunner package, as shipped with Fedora 11 (and probably also in rawhide, but didn't check) (xulrunner-1.9.1.2-1.fc11.x86_64) with Firefox 3.5 (firefox-3.5.2-2.fc11.x86_64) embeds in it's source rpm package multiple multimedia libraries: # pwd /root/rpmbuild/BUILD/xulrunner-1.9.1.2/mozilla-1.9.1/media # ls libfishsound libogg liboggplay liboggz libsydneyaudio libtheora libvorbis Fedora 11 ships the following system libraries, which Xulrunner requires: - libfishsound - libogg - liboggz - libtheora - libvorbis The embedded libraries use should be prevented. In case of security vulnerability in some of them (like CVE-2009-2663 was), the security update requires more effort than needed. Version-Release number of selected component (if applicable): xulrunner-1.9.1.2-1.fc11.x86_64 How reproducible: Always Steps to Reproduce: 1. Install the xulrunner src.rpm and apply the patches 2. Have a look into BUILD/xulrunner-1.9.1.2/mozilla-1.9.1/media Actual results: Various multimedia libraries are embedded within xulrunner-1.9.1.2-1.fc11. Expected results: The relevant F11's system libraries should be used instead. Note: Move this bugzilla against Rawhide version, if the issue is still present (as i didn't check the rawhide case).
Hm, looks like the media libraries are built but xulrunner does not link/use them...
Upstream bug - https://bugzilla.mozilla.org/show_bug.cgi?id=517422
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle. Changing version to '12'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
This looks to still be an issue. Reassigning to rawhide and marking FutureFeature
Note that the upstream maintainer is drawing the wrong conclusion from his facts in the bug report. He says that they often have to cherrypick security fixes for the relevant libraries and therefore unbundling is a detriment. In reality, for Fedora, we have to apply security fixes for the libraries and for xulrunner so this doubles the amount of work that we must do. Unbundling is a positive step for us in this regard.
Martin, any updates on this?
Some patch is here - https://bugzilla.mozilla.org/show_bug.cgi?id=551138
It's not clear to me how 551138 applies and 517422 shows no activity since September. Any estimate on when this will be implemented? This bug is part of FES ticket 39.
Patches welcome.
Any update on this?
Has there been any change?
Have you supplied patches yet? That would seriously help move this along. I realize it's an important bug, but nagging every few months isn't really the way to make progress.
Let's track this one upstream.
We're not really setup to do that. Our tracking bug can't be blocked by the upstream bug, for instance.
firefox/xulrunner have a much bigger bundling problem than just a few multimedia libraries. Here's what I found so far: syntaxhighlighter ------------------ addon-sdk/source/doc/static-files/syntaxhighlighter jQuery ------ addon-sdk/source/doc/static-files/js/jquery.js addon-sdk/source/examples/reddit-panel/data/jquery-1.4.4.min.js addon-sdk/source/examples/annotator/data/jquery-1.4.2.min.js LibraryDetector --------------- addon-sdk/source/examples/library-detector/data/library-detector.js Python Markdown --------------- addon-sdk/source/python-lib/markdown simplejson ---------- addon-sdk/source/python-lib/simplejson Blueprint CSS Framework ----------------------- build/pgo/blueprint pymake ------ build/pymake stlport ------- build/stlport webgl conformance suite ----------------------- content/canvas/test/webgl sqlite ------ db/sqlite3 browserscope ------------ editor/libeditor/html/tests/browserscope angle ----- gfx/angle cairo+glitz+pixman ------------------ gfx/cairo graphite2 --------- gfx/graphite2 harfbuzz -------- gfx/harfbuzz ots --- gfx/ots skia ---- gfx/skia color conversion code from Chromium ----------------------------------- gfx/ybcr hunspell hyphen library ----------------------- intl/hyphenation icu --- intl/icu TeX hyphenation patterns ------------------------ intl/locales/*/hyphenation IPC(?) from Chromium -------------------- ipc/chromium (this bundles libevent and some other 3rd party code) JS -- js/ (this bundles libffi, v8, vtune and other 3rd party code) kissfft ------- media/kiss_fft cubeb ----- media/libcubeb libjpeg-turbo ------------- media/libjpeg nestegg ------- media/libnestegg libogg ------ media/libogg opus ---- media/libopus libpng ------ media/libpng soundtouch ---------- media/libsoundtouch resampler code from libspeex ---------------------------- media/libspeex_resampler libtheora --------- media/libtheora tremor ------ media/libtremor libvorbis --------- media/libvorbis libvpx ------ media/libvpx nICEr ----- media/mtransport/third_party/nICEr nrappkit -------- media/mtransport/third_party/nrappkit webrtc ------ media/webrtc (this bundles libyuv) jemalloc -------- memory/jemalloc double-conversion ----------------- mfbt/double-conversion freetype -------- modules/freetype2 bzip2 ----- modules/libbz2 zlib ---- modules/zlib srtp ---- netwerk/srtp nspr ---- nsprpub/ 7zip ---- other-licenses/7zstub/src atk --- other-licenses/atk-1.0/atk bsdiff ------ other-licenses/bsdiff ply --- other-licenses/ply snappy ------ other-licenses/snappy expat ----- parser/expat/lib python-blessings ---------------- python/blessings python-mock ----------- python/mock-1.0.0 psutil ------ python/psutil python-virtualenv ----------------- python/virtualenv python-which ------------ python/which nss --- security/nss sandbox from Chromium --------------------- security/sandbox pywebsocket ----------- testing/mochitest/pywebsocket iniparser --------- testing/mozbase/mozprocess/tests/iniparser node-spdy --------- testing/xpcshell/node-spdy google-breakpad --------------- toolkit/crashreporter/google-breakpad acorn ----- toolkit/devtools/acorn
Yes, that's correct. Firefox bundles insane amount of libraries and 3rd party code. But we (Fedora Firefox team) does not have time to work on that, beside the fact that many of the bundled libraries contains mozilla specific patches. So if anyone wants to contribute here I'm glad to help to submit his/her patches upstream but that's all what we can do for now.
xulrunner is EOL now.