From 6d328879378fac95240005233331f596fb5c68ed Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Tue, 25 Sep 2018 17:13:59 -0400 Subject: gnu: icecat: Rebundle NSPR and NSS [security fix]. Works around . * gnu/packages/gnuzilla.scm (icecat)[source]: In snippet, don't remove NSS. [inputs]: Remove 'nspr' and 'nss'. [arguments]: Remove --with-system-{nspr,nss} from configure flags. --- gnu/packages/gnuzilla.scm | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index 6834d82426..ea3b61c231 100644 --- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -519,6 +519,13 @@ security standards.") ;; FIXME: A script from the bundled nspr is used. ;;"nsprpub" ;; + ;; FIXME: With the update to IceCat 60, using system NSS + ;; broke certificate validation. See + ;; . For now, we use + ;; the bundled NSPR and NSS. TODO: Investigate, + ;; and try to unbundle these libraries again. + ;; UNBUNDLE-ME! "security/nss" + ;; ;; TODO: Use more system media libraries. See: ;; ;; * libtheora: esr60 wants v1.2, not yet released. @@ -541,7 +548,6 @@ security standards.") "media/libvorbis" ;; "media/libtheora" ; wants theora-1.2, not yet released "media/libtremor" - "security/nss" "gfx/harfbuzz" "gfx/graphite2" "js/src/ctypes/libffi" @@ -588,8 +594,10 @@ security standards.") ("pulseaudio" ,pulseaudio) ("mesa" ,mesa) ("mit-krb5" ,mit-krb5) - ("nspr" ,nspr) - ("nss" ,nss) + ;; See + ;; and related comments in the 'snippet' above. + ;; UNBUNDLE-ME! ("nspr" ,nspr) + ;; UNBUNDLE-ME! ("nss" ,nss) ("sqlite" ,sqlite) ("startup-notification" ,startup-notification) ("unzip" ,unzip) @@ -653,8 +661,12 @@ security standards.") ;; "--with-system-theora" ; wants theora-1.2, not yet released "--with-system-libvpx" "--with-system-icu" - "--with-system-nspr" - "--with-system-nss" + + ;; See + ;; and related comments in the 'snippet' above. + ;; UNBUNDLE-ME! "--with-system-nspr" + ;; UNBUNDLE-ME! "--with-system-nss" + "--with-system-harfbuzz" "--with-system-graphite2" "--enable-system-pixman" -- cgit 1.4.1