Re: [Bug-gnuzilla] icecat maintenance

[Mark H Weaver]

Gammel Holte <address@hidden> writes:

> On Thu, Dec 21, 2017 at 5:33 PM, Antonio Trande <address@hidden> wrote:
>  Will Icecat be upgraded still?
>
> I was wondering the same thing. As much as I dislike the latest moves
> by Mozilla [1] and as much as I like GNU and IceCat, I'm a bit worried
> by the lack of maintenance of the project.
>
> IceCat is quite lagging behind Firefox ESR now. HEAD is 52.3.0,
> whereas Firefox ESR is already at 52.5.2.

I agree that this is a very serious problem.  GNU IceCat is my primary
web browser, and I worry a *lot* about computer security.

As defacto maintainer of the IceCat package in GNU Guix, I have a
solution for myself and for other GNU Guix users.  Whenever Mozilla
issues a security advisory, I search for the associated fixes in the
upstream mozilla-esr52 source repository, and apply them to our packages
in GNU Guix.  At the time of this writing, we include 69 patches
cherry-picked from upstream Firefox ESR, including all fixes from 52.5.2
that I deemed to be possibly relevant to security.

However, the set of IceCat patches that I maintain for GNU Guix are
*not* sufficient for building a secure IceCat on other distros.  Here's
why:

The source code of IceCat (and upstream Firefox) includes bundled copies
of a very large number of external libraries, e.g. icu4c, nspr, nss,
freetype, zlib, libbz2, libevent, libjpeg, libvpx, cairo, libffi,
sqlite, libogg, libtheora, libvorbis, libtremor, libopus, speex,
harfbuzz, graphite2, etc.

In GNU Guix, we do our best to avoid using those bundled libraries, and
instead use the corresponding libraries from our other packages.  In
fact, we *delete* many of these libraries from the IceCat source code.

Some of the important security fixes from Mozilla are actually fixes to
bundled libraries that we don't use in Guix, e.g. to the bundled NSS.
When I find those, I make sure that Guix's canonical package includes
the same fix (it usually already does), but I do *not* apply that patch
to our IceCat source code.  Indeed, in most cases we've already deleted
that code from our copy of the IceCat sources, and we obviously cannot
patch code that is not even there.

Also, I usually omit cherry-picking fixes to code that's specific to
Windows, OS X, or Android, and I often omit fixes to the automated
testing framework, since we do not run those automated tests on Guix
anyway.

So, that's what I can offer you: the IceCat package in GNU Guix, which
can be installed either as a standalone distro, or as an extremely
non-intrusive package manager on top of another GNU/Linux distro.  In
the latter case, the only files installed are in /gnu, /var/guix,
/var/log/guix, and ~/.guix-profile, in such a way that is fairly
invisible to the rest of the system unless your environment variables
are set to refer to the aforementioned directories.

      Mark