Bug#1052283: bookworm-pu: package mozjs102/102.15.1-1~deb12u1

Jeremy Bícha jeremy.bicha at canonical.com
Tue Sep 19 20:20:27 BST 2023 

Package: release.debian.org
Control: affects -1 + src:mozjs102
X-Debbugs-Cc: mozjs102 at packages.debian.org
User: release.debian.org at packages.debian.org
Usertags: pu
Tags: bookworm

[ Reason ]
mozjs is the SpiderMonkey JavaScript engine from Firefox (ESR).
Firefox 102 ESR receives monthly security updates until its end of
life September 26. In this case, the final expected 102 ESR release
was September 19.

The Debian Security Team does not handle security updates for mozjs;
they go through the normal stable update process.

[ Impact ]
mozjs powers gjs which is used by GNOME Shell and some GNOME apps.
Outside Debian proper, Linux Mint Debian Edition probably also has
their cjs package using Debian's mozjs102 package, where cjs is a
light fork of gjs for the Cinnamon desktop.

If this upload isn't accepted, known security bugs would be unfixed,
although it is unclear their impact on the Desktop outside of the web
browser context.

[ Tests ]
mozjs does have its own automated test suite and most of the tests are
run and would fail the build if they fail.

Additionally, I have successfully completed the test cases at
https://wiki.ubuntu.com/DesktopTeam/TestPlans/gjs
after first successfully building for amd64 in my bookworm chroot.

[ Risks ]
I have helped do these mozjs security updates for Ubuntu 22.04 LTS and
newer. Mozilla is only including security fixes, not feature updates
or changes in this update.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
debian/upstream/signing-key.asc was updated so that uscan would
correctly import the new version because the old key has expired since
the last mozjs102 update for Bookworm. The keys are rotated every 2
years.

https://blog.mozilla.org/security/2023/05/11/updated-gpg-key-for-signing-firefox-releases/

debian/gbp.conf was updated to point to the Bookworm branch for the
Debian packaging.

Compared to Debian Unstable, the changelog entries were compressed
into a single paragraph. There were no other debian/ changes.

[ Other info ]
A git log of changes can be found at
https://github.com/mozilla/gecko-dev/commits/esr102/js for changes
since the beginning of May. (Mozilla actually uses mercurial instead
of git but this mirror is helpful).

https://whattrainisitnow.com/calendar/ < click at the bottom of the
page to toggle past release dates

https://www.mozilla.org/security/advisories/

Thank you,
Jeremy Bícha
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mozjs102-102.15.debdiff
Type: application/octet-stream
Size: 176424 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20230919/5a63e132/attachment-0001.obj>

More information about the pkg-gnome-maintainers mailing list