Closed Bug 1427266 Opened 2 years ago Closed 2 years ago

Statically link libdmg-hfsplus against openssl

Categories

(Firefox Build System :: General, enhancement)

enhancement
Not set

Tracking

(firefox59 fixed)

RESOLVED FIXED
mozilla59
Tracking Status
firefox59 --- fixed

People

(Reporter: glandium, Assigned: glandium)

References

Details

Attachments

(1 file)

No description provided.
Comment on attachment 8939011 [details]
Bug 1427266 - Statically link libdmg-hfsplus against OpenSSL.

https://reviewboard.mozilla.org/r/209452/#review215160

::: taskcluster/scripts/misc/build-libdmg-hfsplus.sh:16
(Diff revision 1)
>  # There's no single well-maintained fork of libdmg-hfsplus, so we forked
>  # https://github.com/andreas56/libdmg-hfsplus/ to get a specific version and
>  # backport some patches.
>  : LIBDMG_REPOSITORY    ${LIBDMG_REPOSITORY:=https://github.com/mozilla/libdmg-hfsplus}
>  # The `mozilla` branch contains our fork.
> -: LIBDMG_REV           ${LIBDMG_REV:=ba04b00435a0853f1499d751617177828ee8ec00}
> +: LIBDMG_REV           ${LIBDMG_REV:=2ee327795680101d36f9700bd0fb618362237718}

Note this assumes https://github.com/mozilla/libdmg-hfsplus/pull/1 is merged with a fast-forward.
Attachment #8939011 - Flags: review?(core-build-config-reviews)
Comment on attachment 8939011 [details]
Bug 1427266 - Statically link libdmg-hfsplus against OpenSSL.

https://reviewboard.mozilla.org/r/209452/#review215212

My main concern with statically linking openssl is weakening security by making it harder to upgrade openssl. But I don't see how this change increases our security risk given how libdmg-hfsplus is currently used (as a support library in a desired-to-be-deterministic Docker image).
Attachment #8939011 - Flags: review+
Pushed by mh@glandium.org:
https://hg.mozilla.org/integration/autoland/rev/78f2064b3811
Statically link libdmg-hfsplus against OpenSSL. r=gps
Backout by apavel@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/bbd42a73b04c
Backed out 1 changesets for failing linux toolchain builds r=backout on a CLOSED TREE
Forgot this needs the libdmg-hfsplus PR to be merged first.
Mike, can you merge https://github.com/mozilla/libdmg-hfsplus/pull/1 (a fast-forward would avoid having to change the patch in this bug)?
Flags: needinfo?(mshal)
Merged.
Flags: needinfo?(mshal)
Pushed by gszorc@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/aa3ac1aa5299
Statically link libdmg-hfsplus against OpenSSL. r=gps
https://hg.mozilla.org/mozilla-central/rev/aa3ac1aa5299
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
Product: Core → Firefox Build System
You need to log in before you can comment on or make changes to this bug.