NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
18.38k stars 14.33k forks source link

Remove end-of-life spidermonkey versions (78, 91, 102) #157874

Open mweinelt opened 2 years ago

mweinelt commented 2 years ago

Both package have reached their end of life together with their respective firefox versions and should be removed before NixOS 22.05.

https://endoflife.date/firefox

@lostnet @abbradar @ajs124

lostnet commented 2 years ago

Here's the other packages that I've been monitoring:

dasJ commented 2 years ago

I'd like to remind the people here that branch-off is scheduled for tomorrow and depending on how good the staging builds progress, we will branch off rather soon.

lostnet commented 2 years ago

cjs seems to be the limiting factor. I think libproxy has not been correctly configuring spidermonkey so it could just be removed as a dependency and no functionality would change.

91.9.1 is actually the first version I've seen that unequivocally deals with a spidermonkey defect as the CVE, and unless that was a recent regression it therefore means clearly insecure EOL versions. It would make sense to isolate the usage of 78 to dependents that can be confirmed to require no sandboxing ( or other separation of privileges) and otherwise mark it insecure?

I have no access to a normal computer this weekend though so I probably can't try anything ahead of the release.

On Sat, 21 May 2022, 19:07 Janne Heß, @.***> wrote:

I'd like to remind the people here that branch-off is scheduled for tomorrow and depending on how good the staging builds progress, we will branch off rather soon.

— Reply to this email directly, view it on GitHub https://github.com/NixOS/nixpkgs/issues/157874#issuecomment-1133670526, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAK3LPM7SJT7JS5A5WYHDWTVLEJ37ANCNFSM5NMX6W5Q . You are receiving this because you were mentioned.Message ID: @.***>

mweinelt commented 2 years ago

Unrealistic to achieve and postponed to the 22.11 release cycle. Thanks for your research and documentation on the topic!

lostnet commented 2 years ago

libproxy could now be moved of 78 but cjs remains a problem as well as some other dependents. So the refactor in https://github.com/NixOS/nixpkgs/pull/179822 still includes 78.

ajs124 commented 2 years ago

libproxy could now be moved of 78

see #181917

jtojnar commented 2 years ago

Polkit done in #181264.

ajs124 commented 2 years ago

I guess we can now remove spidermonkey_68 from the list, since that's gone, but need to add spidermonkey_91, used in couchdb and gjs, because support for that version of firefox has ended.

jtojnar commented 2 years ago

182618 updates gjs

mweinelt commented 2 years ago
chvp commented 2 years ago

It's not possible for 0ad unfortunately. The versions of spidermonkey have to match between clients, and we can't rely on other clients using the same version. AFAIK there are also no patches written yet for compatibility with 102.

bobby285271 commented 1 year ago

Cinnamon 5.8 & CJS 5.8 bump (should use spidermonkey_102)

mweinelt commented 1 year ago

The 102 series will go EOL on 2023-08-29. The 115 series will be released in early July. https://whattrainisitnow.com/calendar/

bobby285271 commented 1 year ago

The next GJS (>= 1.77.2, as part of GNOME 45) will depend on spidermonkey 115 (not packaged yet unfortunately)

RaitoBezarius commented 1 year ago

@chvp Please can you inline spidermonkey_78 inside 0ad? We will drop it officially but you can keep using it as the sole consumer of this package.

@puffnfresh Can you consider what it takes to move away from spidermonkey 102 in jsawk? Thanks!

@aforemny @jfrankenau Can you consider what it takes to move away from spidermonkey 102 in plowshare? Thanks!

I guess, we will have spidermonkey 102 for NixOS 23.11, but we can remove any public use of the previous versions IMHO by inlining 78 (0ad) & 91 (CouchDB 3.x) to their call site.

mweinelt commented 1 year ago

I'm not convinced inlining is a good solution to this problem. It's not like we are getting new consumers of EOL spidermonkey versions regularly.

RaitoBezarius commented 1 year ago

I'm not convinced inlining is a good solution to this problem. It's not like we are getting new consumers of EOL spidermonkey versions regularly.

It's not a permanent solution to the problem, it's a "let's erase them from the top-level" temporary solution. For something like a game like 0ad, I'm not really sure we will see them disappear.

ajs124 commented 1 year ago

@puffnfresh Can you consider what it takes to move away from spidermonkey 102 in jsawk? Thanks!

@aforemny @jfrankenau Can you consider what it takes to move away from spidermonkey 102 in plowshare? Thanks!

Both of these just call the js binary, which rarely ever changes. So just updating the package to a newer version and seeing if it still works as expected should be enough.

mweinelt commented 8 months ago

Spidermonkey is likely affected by https://github.com/advisories/GHSA-gv5g-5832-j3rm, https://github.com/advisories/GHSA-cm37-53wc-mx6g, so please evaluate whether your applications could be affected by that.

I'm inclined to mark versions older than 115 as known vulnerable at some point.

chvp commented 8 months ago

0ad should not be affected, no remote JS is loaded.

bobby285271 commented 8 months ago

The patches are https://github.com/mozilla/gecko-dev/commit/81806e7ccec7dde41e37c9891592a6e39ce46380 and https://github.com/mozilla/gecko-dev/commit/afbdf6822c9e9f9b6d44b9ea6904cb10878126b1 according to the bug ID I think.

It looks like MObjectKeysLength::computeRange is introduced in https://github.com/mozilla/gecko-dev/commit/eec1c03d31ad59280f99e9eafcd0eeb10e6a1ed5 3 months ago, and https://github.com/mozilla/gecko-dev/commit/afbdf6822c9e9f9b6d44b9ea6904cb10878126b1 does not touch the js folder :thinking:

aforemny commented 7 months ago

As the plowshare project seems abandoned, I opt for removing the package.

bobby285271 commented 5 months ago

Cinnamon 6.2 and CJS 6.2 bump (should use spidermonkey_115)

fpletz commented 3 months ago

For something like a game like 0ad, I'm not really sure we will see them disappear.

The next version of 0ad will support a newer version of spidermonkey - unfortunately only 91 but then we can drop 78: https://github.com/0ad/0ad/commit/9513e7eb79b00417d8979e7eaf95db807ed08c5a

mweinelt commented 3 months ago

That is so very cool of them, now that 128 ESR is released. :facepalm:

fpletz commented 3 months ago

Next version of CouchDB will have support for QuickJS: https://github.com/apache/couchdb/pull/4627

bobby285271 commented 3 months ago

https://github.com/NixOS/nixpkgs/pull/333028 packages spidermonkey_128. and to test mozjs128 based GJS, gjs.passthru.tests should build on https://github.com/NixOS/nixpkgs/commit/7740a533663eccc5fb41c598e8e3bf6d532f0dfa.