libmozjs and gnome-shell
Moritz Muehlenhoff
jmm at inutil.org
Thu Dec 22 16:44:13 UTC 2011
On Thu, Dec 22, 2011 at 03:52:03PM +0100, Mike Hommey wrote:
> On Thu, Dec 22, 2011 at 03:28:52PM +0100, Josselin Mouette wrote:
> > Hi all,
> >
> > currently we build gjs, which contains the JS bindings required to run
> > gnome-shell, against the libmozjs version shipped by iceweasel. This
> > requires a bit of hackery, especially because libmozjs changes every 3
> > months, but it works and it allows to have only one libmozjs version in
> > the archive.
>
> 6 weeks ;)
>
> > However, recently upstream made it clear that such a setup is absolutely
> > not supported, and they will not even try to fix bugs reported from
> > Debian systems.
> >
> > They now use a snapshot of an older libmozjs, called libmozjs185, to
> > build gjs against. This snapshot has a bit of upstream support itself,
> > and is designed to be parallel-installable. Most other distributions
> > have given up and started to use it.
>
> It's not supported upstream. It's (kind of) supported by a third-party.
> AFAIK, it has received none of the JS engine specific security fixes.
>
> > Eventually gnome-shell might migrate to using seed, which would solve
> > these issues by using libjavascriptcore instead, but this is probably
> > for wheezy+1, so we need a solution for wheezy.
> >
> > What would you all think about packaging libmozjs185 and use it in
> > Debian too? Of course this code duplication makes long-term security
> > support more complicated.
>
> I've said numerous times that I won't prevent anyone from packaging
> libmozjs185. I just won't do it myself. FWIW, the libmozjs185 "upstream"
> maintainer was interested in packaging it for debian himself. So anyone
> interested should try to contact Wes Garland.
All the Javascript executing in Gnome Shell would be under the control
of installed extensions or the user, who wrote local Javascript code, right?
As such it doesn't face the same challenges as a Javascript engine used in
a web browser, so I don't think a second copy would hurt as we simply
wouldn't provide sec support for it.
Cheers,
Moritz
More information about the pkg-gnome-maintainers
mailing list