[Buildroot] Spidermonkey bump version

[Buildroot] Spidermonkey bump version

[Giulio Benetti]

Hello All,

since I'm working on udisks bump version I've noticed its dependency 
spidermonkey that is pretty old. I've seen that download site points to 
a gentoo archive to save 200M of download without downloading entire 
Firefox. Would it make sense to change site back to [1] and bump it once 
89.0 is released?

The only packages that use it is polkit that in order is used by:
- udisks
and optionally by:
- gvfs
- brltty
- systemd

[1]: https://archive.mozilla.org/pub/firefox/releases/89.0b14/

Best regards
-- 
Giulio Benetti
Benetti Engineering sas

[Buildroot] Spidermonkey bump version

[Yann E. MORIN]

Giulio, All,

On 2021-05-20 02:21 +0200, Giulio Benetti spake thusly:
> since I'm working on udisks bump version I've noticed its dependency
> spidermonkey that is pretty old. I've seen that download site points to a
> gentoo archive to save 200M of download without downloading entire Firefox.
> Would it make sense to change site back to [1] and bump it once 89.0 is
> released?

Here are my thoughts on that (mozjs == spidermonkey):

  - of course, it is a bigger archive, but that's not necessarily an
    issue in the grand scheme of things;

  - the version we currently have does not require rust, but newer
    versions do; if we update, it means less architectures we can run
    spidermonkey, and thus polkit and its dependees, on;

  - OE is still using mozjs 60.9.0:
        https://git.openembedded.org/meta-openembedded/tree/meta-oe/dynamic-layers/meta-python/recipes-extended/mozjs/mozjs_60.9.0.bb

  - polkit 0.116 (which we currently have) is the last to accept
    mozjs-60; later versions of polkit require more recent versions of
    mozjs: polkit0.117 requires mozjs-68, and 0.118, mozjs-78:
        https://gitlab.freedesktop.org/polkit/polkit/-/blob/0.116/configure.ac#L82
        https://gitlab.freedesktop.org/polkit/polkit/-/blob/0.117/configure.ac#L83
        https://gitlab.freedesktop.org/polkit/polkit/-/blob/0.118/configure.ac#L83

> The only packages that use it is polkit that in order is used by:
> - udisks
> and optionally by:
> - gvfs
> - brltty
> - systemd

So, I'm all meh... Maybe we'll have to bite the bullet and bump mozjs if
we want to bump polkit (probably a good idea to avoid security issues?
Although there is no known CVE for polkit 0.116:
https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&seach_type=all&query=cpe:2.3:a:polkit_project:polkit:0.116:*:*:*:*:*:*:*
which does not mean there is no unknown issue either...)

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] Spidermonkey bump version

[Giulio Benetti]

Hi Yann, All,

On 5/20/21 12:33 PM, Yann E. MORIN wrote:
> Giulio, All,
> 
> On 2021-05-20 02:21 +0200, Giulio Benetti spake thusly:
>> since I'm working on udisks bump version I've noticed its dependency
>> spidermonkey that is pretty old. I've seen that download site points to a
>> gentoo archive to save 200M of download without downloading entire Firefox.
>> Would it make sense to change site back to [1] and bump it once 89.0 is
>> released?
> 
> Here are my thoughts on that (mozjs == spidermonkey):
> 
>    - of course, it is a bigger archive, but that's not necessarily an
>      issue in the grand scheme of things;

I agree

>    - the version we currently have does not require rust, but newer
>      versions do; if we update, it means less architectures we can run
>      spidermonkey, and thus polkit and its dependees, on;
> 
>    - OE is still using mozjs 60.9.0:
>          https://git.openembedded.org/meta-openembedded/tree/meta-oe/dynamic-layers/meta-python/recipes-extended/mozjs/mozjs_60.9.0.bb
> 
>    - polkit 0.116 (which we currently have) is the last to accept
>      mozjs-60; later versions of polkit require more recent versions of
>      mozjs: polkit0.117 requires mozjs-68, and 0.118, mozjs-78:
>          https://gitlab.freedesktop.org/polkit/polkit/-/blob/0.116/configure.ac#L82
>          https://gitlab.freedesktop.org/polkit/polkit/-/blob/0.117/configure.ac#L83
>          https://gitlab.freedesktop.org/polkit/polkit/-/blob/0.118/configure.ac#L83
> 
>> The only packages that use it is polkit that in order is used by:
>> - udisks
>> and optionally by:
>> - gvfs
>> - brltty
>> - systemd
> 
> So, I'm all meh... Maybe we'll have to bite the bullet and bump mozjs if
> we want to bump polkit (probably a good idea to avoid security issues?
> Although there is no known CVE for polkit 0.116:
> https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&seach_type=all&query=cpe:2.3:a:polkit_project:polkit:0.116:*:*:*:*:*:*:*
> which does not mean there is no unknown issue either...)

I'm giving a try and I've seen that until mozjs-78 configure file is 
already present while on latest version firefox-89.0 there is not and 
the whole build system changed.

Since we need spidermonkey 78 for polkit 0.118 I would go for bumping 
spidermonkey to 0.78 if it's not too difficult.
What do you think?

Best regards
-- 
Giulio Benetti
Benetti Engineering sas

[Buildroot] Spidermonkey bump version

[Yann E. MORIN]

Giulio, All,

On 2021-05-22 00:31 +0200, Giulio Benetti spake thusly:
> On 5/20/21 12:33 PM, Yann E. MORIN wrote:
> >On 2021-05-20 02:21 +0200, Giulio Benetti spake thusly:
> >>since I'm working on udisks bump version I've noticed its dependency
> >>spidermonkey that is pretty old. I've seen that download site points to a
> >>gentoo archive to save 200M of download without downloading entire Firefox.
> >>Would it make sense to change site back to [1] and bump it once 89.0 is
> >>released?
> >   - the version we currently have does not require rust, but newer
> >     versions do; if we update, it means less architectures we can run
> >     spidermonkey, and thus polkit and its dependees, on;
> >
> >   - OE is still using mozjs 60.9.0:
> >         https://git.openembedded.org/meta-openembedded/tree/meta-oe/dynamic-layers/meta-python/recipes-extended/mozjs/mozjs_60.9.0.bb
> >
> >   - polkit 0.116 (which we currently have) is the last to accept
> >     mozjs-60; later versions of polkit require more recent versions of
> >     mozjs: polkit0.117 requires mozjs-68, and 0.118, mozjs-78:
> >         https://gitlab.freedesktop.org/polkit/polkit/-/blob/0.116/configure.ac#L82
> >         https://gitlab.freedesktop.org/polkit/polkit/-/blob/0.117/configure.ac#L83
> >         https://gitlab.freedesktop.org/polkit/polkit/-/blob/0.118/configure.ac#L83
> >
> >>The only packages that use it is polkit that in order is used by:
> >>- udisks
> >>and optionally by:
> >>- gvfs
> >>- brltty
> >>- systemd
> >
> >So, I'm all meh... Maybe we'll have to bite the bullet and bump mozjs if
> >we want to bump polkit (probably a good idea to avoid security issues?
> >Although there is no known CVE for polkit 0.116:
> >https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&seach_type=all&query=cpe:2.3:a:polkit_project:polkit:0.116:*:*:*:*:*:*:*
> >which does not mean there is no unknown issue either...)
> 
> I'm giving a try and I've seen that until mozjs-78 configure file is already
> present while on latest version firefox-89.0 there is not and the whole
> build system changed.

In mozjs-60.5.2, there is both configure and configure.in, which are the
exact same file, except the former is +x and the latter is -x.

In firefox 89.0, there is indeed no 'configure', but there is still
'configure.in'. If you just chmod +x it, it runs fine. Well, it runs as
long as it can find its depndencies... After all, that script is only a
thin wrapper above their custom buildsystem., as it were in 60.5.2
anyway...

> Since we need spidermonkey 78 for polkit 0.118 I would go for bumping
> spidermonkey to 0.78 if it's not too difficult.

Well, it is not going to be easy: the package has switched over to rust,
so there will be some work to do. We have no package infra for rust, so
you'll have to look at other packages how they handle things...

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] Spidermonkey bump version

[Giulio Benetti]

Hi Yann

On 5/22/21 10:42 PM, Yann E. MORIN wrote:

[SNIP]

>> Since we need spidermonkey 78 for polkit 0.118 I would go for bumping
>> spidermonkey to 0.78 if it's not too difficult.
> 
> Well, it is not going to be easy: the package has switched over to rust,
> so there will be some work to do. We have no package infra for rust, so
> you'll have to look at other packages how they handle things...

I've given a try and yes it's not easy at all, I don't have time to do 
it. Thank you anyway.

Best regards
-- 
Giulio Benetti
Benetti Engineering sas

[Buildroot] Spidermonkey bump version

[Yann E. MORIN]

Giulio, All,

On 2021-05-24 17:56 +0200, Giulio Benetti spake thusly:
> On 5/22/21 10:42 PM, Yann E. MORIN wrote:
> >>Since we need spidermonkey 78 for polkit 0.118 I would go for bumping
> >>spidermonkey to 0.78 if it's not too difficult.
> >Well, it is not going to be easy: the package has switched over to rust,
> >so there will be some work to do. We have no package infra for rust, so
> >you'll have to look at other packages how they handle things...
> I've given a try and yes it's not easy at all, I don't have time to do it.
> Thank you anyway.

Yea,h, I did not expect it to be straightforward... Thanks for having
had a look. :-)

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'