Debian OS

... finally I got my blog up again and I start with yet another lame post

My latest security backports to the upstream abandoned mozilla 1.8.0 branch are now available at http://people.ubuntu.com/~asac/mozilla-security/moz-1.8.1.12a-backports.tar.gz.

Those patches should cover all security related fixes that landed on the 1.8 branch (firefox 2) as of 2.0.0.12 RC3.

I noticed that I didn’t really release any of the post-mortem security patches released in debian and ubuntu. So, here the patchsets for the 1.8.0 branch that contains them all:

• firefox – http://people.ubuntu.com/~asac/mozilla-security/moz-backports-ffox-all-1.8.1.12.tar.gz


• thunderbird – http://people.ubuntu.com/~asac/mozilla-security/moz-backports-tbird-all-1.8.1.12.tar.gz


• xulrunner – http://people.ubuntu.com/~asac/mozilla-security/moz-backports-xul-all-1.8.1.12.tar.gz

Those tarballs ship quilt patch directories. This means that the sequence to apply them cleanly can be found in the contained series file. To apply them to MOZILLA_1_8_0_BRANCH checkout, just copy the directory contained to your checkout (name the directory patches if you like) and run

Have fun!

Well, I am impressed. Iceowl slipped through NEW in just a few hours. Many thanks to our ftp-masters … well done!

Two screenshots Iceowl and its Icedove extension:

Iceowl – Standalone Calendar

Iceowl Calendar Extension for Icedove

tags 388218 + pending
tags 270533 + pending
thanks

Ladies and Gentleman,

I am finally happy to mark this pending … upload should go to sid
today.

iceowl is the unbranded sunbird standalone application.

lightning, the sunbird based thunderbird extension will be called
iceowl-extension … and will be usable in icedove + thunderbird.

I will announce on debian planet once those are uploaded.

Have fun,

mozilla-firefox 1.0.4-2sarge13 based on the backport patches I announced yesterday is now available too. You can get it from my security preview archive.

... are available for testing. firefox will be available soon.

use my security preview archive to help testing this release:

• mozilla: 1.7.8-1sarge9
• mozilla-thunderbird: 1.0.2-2.sarge1.0.8e.1

For reference: The raw patches are http://people.debian.org/~asac/backports-1.5.0.9.tar.gz

Thanks to Ricardo Fernandez we have a great new and consistent artwork for our ice-lizard applications.

For icedove they will land with the next upload … so here some screens.

icedove start-page thumb

icedove about box

icedove credits dialog with new motto: “Icedoves are Free!”

mconnor (Mozilla Corp) and caillon (Red Hat) give hope that mozillas attitude finally starts to change (in the right direction):

• mozilla admits and encourages that distribution builds are the primary way of distributing mozilla software to linux users
• linux contributors will get a chance to form a “strong group of maintainers to drive and own Linux-specific development”, which will have “responsibility for branch policies for Linux-specific code”
• in consequence, distributors will get their chance to integrate linux specific changes into stable branches in order to reduce the patchset needed

That’s all good news, but even better …

“Red Hat and Novell are both going to commit some effort into maintaining the Firefox 1.5.0.x line past the current EOL date this spring” ... thank $GOD for that

Thanks to Mike Hommey we have another set of security updates for
our mozilla apps in sarge. The versions are:

mozilla-firefox 1.0.4-2sarge13
mozilla-thunderbird 1.0.2-2.sarge1.0.8d.1
mozilla 1.7.8-1sarge8

Please use my security archive to get the preview packages and
test them as extensively as possible.

If you encounter any NEW problems, please let us know at pkg-mozilla-maintainers@lists.alioth.debian.org.

Thanks for your support.

It might be obvious for most that follow recent discussions, but here are the names of our IceLizard applications, as we will probably ship in etch:

• IceWeasel aka Firefox
• IceDove, aka Thunderbird
• IceApe aka SeaMonkey

Now we need some artwork … there is a great draft site in ubuntu wiki that looks quite promising: https://wiki.ubuntu.com/IceWeaselIcon

Of course, no guarantees

As I red the post of MJ Ray on planet, I contacted the gnuzilla project and offered to join them in order to make them a good upstream for distributors that cannot obey the new mozilla trademark policy.

My current preference is to use snoweagle for thunderbird. IMO it would be a good choice, as it would be in the same spirit as iceweasel for firefox.

Anyway, more ideas are welcome …

As promissed I made available a preview package for the next mozilla-firefox security update.

The version of this prospective package is: 1.0.4-2sarge12.

If you have a sarge desktop install at hand and want to help, just add my security apt sources from http://www.asoftsite.org/apt-archives.html and upgrade/install mozilla-firefox.

Please test and send NEW bugs to me (asac@jwsdot.com) or to pkg-mozilla-maintainers@lists.alioth.debian.org.

Thanks!

I uploaded another round of security updates for mozilla and mozilla-thunderbird to my security preview archive.

The preview build for firefox will be made available from the same location in a day or two.

The versions of concern here are:

If you see any NEW bugs, let me know.

Thanks

Yesterday, I uploaded a first thunderbird 1.5.0.5 build. It fixes – as you might know – several security issues, applies several patches … so nothing unusual.

However, there is one interesting and maybe useful change: a patch which provides the core feature needed to make a reply-to-list extension possible in thunderbird.

I often red complains that thunderbird has no reply-to-list feature. Thus, I decided to ship this patch for etch. In general, I don’t add features upstream has not yet included. But this one looks important enough for me to not remember my own rules .

In order to make use of this feature, do this:

1. Install enigmail or mnenhy extension. I would suggest enigmail which is in the debian archive (aptitude install enigmail)
2. Install the Reply-To-List Extension from this address.
3. Press Ctrl+I (yes, Ctrl-L is already in use, sorry) in order to reply to list.
4. or add the Reply-To-List button to your toolbar and press that one.

Ah, here a screenshot,

Reply To List Button and Key-Binding in Debian Thunderbird 1.5.0.5

Anyone disagrees with the decision to ship this in etch?

Hi all,

we uploaded preview packages for the next security update of mozilla applications
in debian sarge.

This is the second maintenance release after mozilla foundation officially ended
support for the product versions we ship in sarge. The packages are based on the patches I
backported and announced a few days ago [1].

If you are a more or less advanced debian-sarge user (or developer) who wants to contribute and
you are using one of the mozilla apps, then please help by testing
this preview release and provide both, negative and positive feedback to pkg-mozilla-maintainers@lists.alioth.debian.org.

To test this release, please upgrade your favorite mozilla app from the sources given below.

The repository that contains the new packages can be found at http://people.debian.org/~asac/security.

The applications and versions of concern are:

• mozilla-firefox 1.0.4-2sarge10


• mozilla-thunderbird 1.0.2-2.sarge1.0.8b.1


• mozilla 1.7.8-1sarge7.2.1

You can either download the .debs manually or add the following to your apt sources.list:

deb http://people.debian.org/~asac/security ./

If you run into troubles with any of the new packages, chances are high this is due to some
extension that makes use of some corner-case feature. In order to help to track these cases down
you should disable your extensions one by one until you get rid of the problem. If you find the
extension that causes all the troubles, please don’t forget to mention its name and version.

Thanks for your support!

[1] – http://www.asoftsite.org/s9y/archives/112-Its-mozilla-patch-day!.html

... I have backported security fixes recently announced by mozilla for firefox and thunderbird to the old branch – which we have in debian stable.

You can grab the patchset I produced from http://people.debian.org/~asac/patchset_109b.tar.gz.

In it you find patches that fix:

• all security flaws whose security advisories had been announced together with firefox/thunderbird 1.5.0.5 – if applicable
• a tricky issue that had not been fixed in the last debian stable-security update for mozilla, mozilla-firefox and mozilla-thunderbird (aka mfsa2006-32, Part 2/7).
• two regressions introduced in our last stable-security update that broke some extensions.

Good news is that a bunch of critical flaws have been identified to not affect debian stable, namely:

Another good news is that MFSA2006-45 – which was recently /.ed with a working exploit – is in that list too. So debian stable users are not affected by that issue.

In order to get feedback and testing I am now preparing packages. Testing this is critical, because upstream has abandoned 1.0.x development. So please help to test and report regressions … otherwise those might go unseen and finally slip through to our users. I will announce new packages available for testing on my site and on the pkg-mozilla-maintainers mailing-list.

Thanks for your support!