There is a lot of scrambling with the browser authors about what to do with a new 0-day Java exploit that is circulating and is already part of at least two penetration toolkits. The flaw only exists in Java 1.7, which was never distributed with any PowerPC version of Mac OS X (though you can install an OpenJDK version of it), but because of other flaws you should make sure that the Java plugin is off and of course we "ship safe" because plugins are already disabled by default anyway. If Mozilla chemspills for this issue, we will probably not follow suit unless there are other changes related to it we want to capture.
Monday, August 27, 2012
Friday, August 24, 2012
Review of the two bugs indicates one minor one, and the other one actually broke the tree at least once and is being watched for fallout on the ESR branch. This does not sound appropriate to land on the tree so late, I'm not going to go through 8 hours of rebuild for a minor issue and an issue that may cause us to rebuild later, both of which were in 10.x all along, and neither one appears to in and of themselves have a security impact. We will pick this up with any rebuild and/or scheduled 10.0.8.
Please try 10.0.7 on your system(s). It will become final on Monday.
Thursday, August 23, 2012
Of note, Mozilla themselves disabled pdf.js prior to release, so it looks like it wasn't really ready for primetime after all. The interested can still reenable it from about:config.
Real life and a paycheque is interfering with my hacking time, so 10.0.7 will be a rush job. I'm hoping to have it up by Sunday or Monday and we should still make it on time. I plan to merge the changesets tonight and then run compiles surreptitiously from the field as I pretend to read office E-mail.
I'm still doing planning for 18.0, our "Judgment Day" release. Because we will be shipping a new C++ runtime and other components, this will require more memory, and while 1GB RAM has been a practical minimum (he admits with obvious pain) for some time
it will be the supported minimum with 18.0. It may still work on systems with less RAM, but it will definitely be impaired, and we won't accept bug reports on those systems. Assuming 17.0 will still build with gcc 4.0.1, it will be the last version to support 512MB machines. You are on notice. we'll see how it goes, based on Comments
More info when the 17 aurora port begins. For now, please try 15.0 and wait for 10.0.7 this weekend.
Sunday, August 12, 2012
Job one is now to get to the next ESR, and I've decided we will skip 16 and go straight to 17-Aurora to ensure that we have enough cycles to get it working. After 15, there will be two or three 17 releases: definitely a 17 Aurora, maybe a 17 Beta, and then a 17-final which all stable users will be offered (so on the stable branch there will be 10.0.7, .8 and finally .9 to end our support of 10ESR). I will update the Roadmap with this information. Remember, builders, downstreamers and porters, even if we get 17 working with gcc 4.0.1, it will be the last version we support building with it (but assuming we do, it will be supported for the life of 17). More about that when I make a formal post about Judgment Day, which will occur when 18 hits Aurora.