Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[19.03] Mark various versions of firefox and derivatives as vulnerable #77398

Closed
wants to merge 1 commit into from

Conversation

@stefano-m
Copy link
Contributor

stefano-m commented Jan 9, 2020

Motivation for this change

Mainly because of

https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/

but there are also other older and unsupported packages.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
Notify maintainers

cc @flokli due to #77361 (comment)

Mainly because of

https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/

but there are also other older and unsupported packages.
@worldofpeace
Copy link
Member

worldofpeace commented Jan 9, 2020

I believe the iso's and vms use firefox so they won't evaluate with this. And haven't we already declared 19.03 as EOL (and subsequently possibly having security vulnerabilities).
We'd in no way have the resources to mark every package with vulnerabilities on EOL releases.
Additionally, every person who uses firefox on 19.09 (not that I'm trying to support them) is going to have an issue building their configuration and would have to make a change. I don't think that's an appropriate change to make in any stable distribution.

@stefano-m
Copy link
Contributor Author

stefano-m commented Jan 10, 2020

See #77361 (comment) for why I created this. I understand 19.03 is EOL (although to be honest the information seems to be somewhat hidden in the release notes - also discussed in #77361).

I was in two minds about creating the PR, but I noticed that release-19.03 is still getting new commits, so I thought it might be worth marking the browsers as insecure because I believe they have a large impact on many users (sorry, I have no numbers to substantiate this claim, so take it as a personal opinion).

If you think it's not worth proceeding, I am OK with closing the PR and so be it. I can submit a new PR for master and 19.09 though.

Thank you very much.

@stefano-m
Copy link
Contributor Author

stefano-m commented Jan 10, 2020

Also, I don't know who to make the failed checks pass since it seems they fail exactly because the packages have been marked as insecure 😅

@flokli
Copy link
Contributor

flokli commented Jan 10, 2020

Right, this fails evaluation and is by design… I also don't think a backport is trivial - usually firefox updates trigger world rebuilds due to nss updates, so it might be best to just close this PR, sorry for the fuzz.

We should indeed show more prominently on the website about how long we backport security fixes to older releases, I opened NixOS/nixos-homepage#325.

@flokli flokli closed this Jan 10, 2020
@LnL7
Copy link
Member

LnL7 commented Jan 10, 2020

Something like #23590 would also help to provide more visibility to users about the state of their current channels.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants
You can’t perform that action at this time.