Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 517856 (xulrunner) - xulrunner bundles multiple libraries
Summary: xulrunner bundles multiple libraries
Keywords:
Status: CLOSED WONTFIX
Alias: xulrunner
Product: Fedora
Classification: Fedora
Component: xulrunner
Version: rawhide
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Martin Stransky
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: DuplicSysLibsTracker
TreeView+ depends on / blocked
 
Reported: 2009-08-17 14:08 UTC by Jan Lieskovsky
Modified: 2017-05-30 11:37 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-05-30 11:37:18 UTC
Type: ---


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Mozilla Foundation 517422 0 None None None Never
Mozilla Foundation 551138 0 None None None Never

Internal Links: 1048493

Description Jan Lieskovsky 2009-08-17 14:08:21 UTC
Description of problem:

The Xulrunner package, as shipped with Fedora 11
(and probably also in rawhide, but didn't check)
(xulrunner-1.9.1.2-1.fc11.x86_64) with Firefox 3.5 
(firefox-3.5.2-2.fc11.x86_64) embeds in it's source rpm
package multiple multimedia libraries:

# pwd
/root/rpmbuild/BUILD/xulrunner-1.9.1.2/mozilla-1.9.1/media

# ls
libfishsound  libogg  liboggplay  liboggz  libsydneyaudio  libtheora  libvorbis

Fedora 11 ships the following system libraries, which Xulrunner requires:
- libfishsound
- libogg
- liboggz
- libtheora
- libvorbis

The embedded libraries use should be prevented. In case
of security vulnerability in some of them (like CVE-2009-2663 was),
the security update requires more effort than needed.

Version-Release number of selected component (if applicable):
xulrunner-1.9.1.2-1.fc11.x86_64


How reproducible:
Always

Steps to Reproduce:
1. Install the xulrunner src.rpm and apply the patches
2. Have a look into BUILD/xulrunner-1.9.1.2/mozilla-1.9.1/media
  
Actual results:
Various multimedia libraries are embedded within xulrunner-1.9.1.2-1.fc11.

Expected results:
The relevant F11's system libraries should be used instead.

Note: Move this bugzilla against Rawhide version, if the issue is still
      present (as i didn't check the rawhide case).

Comment 1 Martin Stransky 2009-09-29 14:18:29 UTC
Hm, looks like the media libraries are built but xulrunner does not link/use them...

Comment 2 Martin Stransky 2009-09-29 14:23:26 UTC
Upstream bug - https://bugzilla.mozilla.org/show_bug.cgi?id=517422

Comment 3 Bug Zapper 2009-11-16 11:30:37 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 4 Toshio Ernie Kuratomi 2010-08-14 19:36:25 UTC
This looks to still be an issue.  Reassigning to rawhide and marking FutureFeature

Comment 5 Toshio Ernie Kuratomi 2010-08-14 19:38:56 UTC
Note that the upstream maintainer is drawing the wrong conclusion from his facts in the bug report.  He says that they often have to cherrypick security fixes for the relevant libraries and therefore unbundling is a detriment.

In reality, for Fedora, we have to apply security fixes for the libraries and for xulrunner so this doubles the amount of work that we must do.  Unbundling is a positive step for us in this regard.

Comment 6 Thom Carlin 2011-02-19 12:50:29 UTC
Martin, any updates on this?

Comment 7 Martin Stransky 2011-02-21 09:14:48 UTC
Some patch is here - https://bugzilla.mozilla.org/show_bug.cgi?id=551138

Comment 8 Thom Carlin 2011-02-22 18:26:21 UTC
It's not clear to me how 551138 applies and 517422 shows no activity since September.  Any estimate on when this will be implemented?  This bug is part of FES ticket 39.

Comment 9 Christopher Aillon 2011-02-22 19:27:35 UTC
Patches welcome.

Comment 10 Thom Carlin 2011-03-14 19:41:06 UTC
Any update on this?

Comment 11 Thom Carlin 2011-05-07 15:25:12 UTC
Has there been any change?

Comment 12 Christopher Aillon 2011-05-09 20:42:45 UTC
Have you supplied patches yet?  That would seriously help move this along.

I realize it's an important bug, but nagging every few months isn't really the way to make progress.

Comment 13 Martin Stransky 2013-05-09 19:21:22 UTC
Let's track this one upstream.

Comment 14 Toshio Ernie Kuratomi 2013-05-10 01:05:55 UTC
We're not really setup to do that.  Our tracking bug can't be blocked by the upstream bug, for instance.

Comment 15 Dominik 'Rathann' Mierzejewski 2014-03-07 21:34:47 UTC
firefox/xulrunner have a much bigger bundling problem than just a few multimedia libraries. Here's what I found so far:

syntaxhighlighter
------------------
addon-sdk/source/doc/static-files/syntaxhighlighter

jQuery
------
addon-sdk/source/doc/static-files/js/jquery.js
addon-sdk/source/examples/reddit-panel/data/jquery-1.4.4.min.js
addon-sdk/source/examples/annotator/data/jquery-1.4.2.min.js

LibraryDetector
---------------
addon-sdk/source/examples/library-detector/data/library-detector.js

Python Markdown
---------------
addon-sdk/source/python-lib/markdown

simplejson
----------
addon-sdk/source/python-lib/simplejson

Blueprint CSS Framework
-----------------------
build/pgo/blueprint

pymake
------
build/pymake

stlport
-------
build/stlport

webgl conformance suite
-----------------------
content/canvas/test/webgl

sqlite
------
db/sqlite3

browserscope
------------
editor/libeditor/html/tests/browserscope

angle
-----
gfx/angle

cairo+glitz+pixman
------------------
gfx/cairo

graphite2
---------
gfx/graphite2

harfbuzz
--------
gfx/harfbuzz

ots
---
gfx/ots

skia
----
gfx/skia

color conversion code from Chromium
-----------------------------------
gfx/ybcr

hunspell hyphen library
-----------------------
intl/hyphenation

icu
---
intl/icu

TeX hyphenation patterns
------------------------
intl/locales/*/hyphenation

IPC(?) from Chromium
--------------------
ipc/chromium (this bundles libevent and some other 3rd party code)

JS
--
js/ (this bundles libffi, v8, vtune and other 3rd party code)

kissfft
-------
media/kiss_fft

cubeb
-----
media/libcubeb

libjpeg-turbo
-------------
media/libjpeg

nestegg
-------
media/libnestegg

libogg
------
media/libogg

opus
----
media/libopus

libpng
------
media/libpng

soundtouch
----------
media/libsoundtouch

resampler code from libspeex
----------------------------
media/libspeex_resampler

libtheora
---------
media/libtheora

tremor
------
media/libtremor

libvorbis
---------
media/libvorbis

libvpx
------
media/libvpx

nICEr
-----
media/mtransport/third_party/nICEr

nrappkit
--------
media/mtransport/third_party/nrappkit

webrtc
------
media/webrtc (this bundles libyuv)

jemalloc
--------
memory/jemalloc

double-conversion
-----------------
mfbt/double-conversion

freetype
--------
modules/freetype2

bzip2
-----
modules/libbz2

zlib
----
modules/zlib

srtp
----
netwerk/srtp

nspr
----
nsprpub/

7zip
----
other-licenses/7zstub/src

atk
---
other-licenses/atk-1.0/atk

bsdiff
------
other-licenses/bsdiff

ply
---
other-licenses/ply

snappy
------
other-licenses/snappy

expat
-----
parser/expat/lib

python-blessings
----------------
python/blessings

python-mock
-----------
python/mock-1.0.0

psutil
------
python/psutil

python-virtualenv
-----------------
python/virtualenv

python-which
------------
python/which

nss
---
security/nss

sandbox from Chromium
---------------------
security/sandbox

pywebsocket
-----------
testing/mochitest/pywebsocket

iniparser
---------
testing/mozbase/mozprocess/tests/iniparser

node-spdy
---------
testing/xpcshell/node-spdy

google-breakpad
---------------
toolkit/crashreporter/google-breakpad

acorn
-----
toolkit/devtools/acorn

Comment 16 Martin Stransky 2014-03-10 09:33:40 UTC
Yes, that's correct. 

Firefox bundles insane amount of libraries and 3rd party code. But we (Fedora Firefox team) does not have time to work on that, beside the fact that many of the bundled libraries contains mozilla specific patches.

So if anyone wants to contribute here I'm glad to help to submit his/her patches upstream but that's all what we can do for now.

Comment 17 Martin Stransky 2017-05-30 11:37:18 UTC
xulrunner is EOL now.


Note You need to log in before you can comment on or make changes to this bug.