|
Apache OpenOffice (AOO) Bugzilla – Full Text Issue Listing |
| Summary: | replace Mozilla code/binaries shipped with / used by OOo with recent SeaMonkey | ||
|---|---|---|---|
| Product: | General | Reporter: | rene |
| Component: | code | Assignee: | Frank Schönheit <frank.schoenheit> |
| Status: | CLOSED FIXED | QA Contact: | issues@framework <issues> |
| Severity: | Trivial | ||
| Priority: | P2 | CC: | issues, mechtilde, tml |
| Version: | OOo 2.0.3 | Keywords: | oooqa |
| Target Milestone: | OOo 3.2 | ||
| Hardware: | All | ||
| OS: | All | ||
| Issue Type: | TASK | Latest Confirmation in: | --- |
| Developer Difficulty: | --- | ||
|
Description
rene
2006-06-12 10:26:37 UTC
Not a OpenOffice-issue. Please assign issue to the appropiate component/subcomponent. wrong. OOo uses mozilla at diverse places, and it uses mozilla 1.7.5. I don't see why this isn't a OOo issue... TM->requirements: please have a look, thanks ! Since the Mozilla in our tree is in my responsibility, this issue would probably be mine. Grabbing. Lowering priority. If you think P2 is justified, please explain in more detail. Yes, we should probably switch to either SeaMonkey or Thunderbird (XULRunner won't do, I strongly suppose. The original intention to include Mozilla was the address book stuff, which I doubt to be in XULRunner). > And it should be possible to use system-"mozilla" *and* enable the mozab stuff > which currently isn't :/ This is possible as soon as Mozilla allows different processes to access the same profile simultaneously (https://bugzilla.mozilla.org/show_bug.cgi?id=135137). Without this, OOo could not access Mozilla address books when a Mozilla is already running. accepting upgrading again.
For me it was a P1, too, but I already did lower it for filing.
This is a security issue. Our mozilla in-tree is ancient and has many known
security bugs. We use this mozilla and ship it to the outside. No one even
cared about updating mozilla....
As Mozilla isn't developed anymore, really it should be replaced.
> This is possible as soon as Mozilla allows different processes to access the
> same profile simultaneously
> (https://bugzilla.mozilla.org/show_bug.cgi?id=135137). Without this, OOo
> could not access Mozilla address books when a Mozilla is already running.
this is bad why? Just document that...
So I take it I can build against xulrunner and get the mozab functionality
(baring the lock problem). Building against Mozilla is no option (planned to be
removed from Debian soon) for example.
> This is a security issue. Our mozilla in-tree is ancient and has many known > security bugs. We use this mozilla and ship it to the outside. What we use from the Mozilla binraies we ship is: - Address Book functionality - LDAP libaries - security/encryption libraries To my best knowledge, there have been no security issues in those areas since Mozilla 1.7.5. Nothing else from Mozilla is shipped/used. So, "It has many know security bugs" is not really convincing to me. > As Mozilla isn't developed anymore, really it should be replaced. That itself isn't convincing, too. I won't invest effort into this without a good reason to do so (however I will not block efforts invested by others :). >> Without this, OOo could not access Mozilla address books when a Mozilla >> is already running. > this is bad why? Just document that... People using the Mozilla address book are usually also using Mozilla. And here the usage pattern more often than not is to have Mozilla constantly running for reading mails. This means that effectively, the address book access does not work at all. No, this is not just an issue to document, this is a real breaker of the whole functionality. > So I take it I can build against xulrunner and get the mozab functionality > (baring the lock problem). I don't know enough about XULRunner, in particular which libs it includes, to judge this. Is the address book stuff *really* part of the XULRunner? Wouldn't it be a little ... fat than for a runner? Anyway, that's your decision for your distribution. If it works - great! > What we use from the Mozilla binraies we ship is: > - Address Book functionality > - LDAP libaries > - security/encryption libraries > > To my best knowledge, there have been no security issues in those areas since > Mozilla 1.7.5. Nothing else from Mozilla is shipped/used. So, "It has many > know security bugs" is not really convincing to me. It doesn't matter really.. You ship loads of mozilla core libraries, too.. It shouldn't be too hard to upgrade to mozilla 1.7.13 anyway given that mozilla isn't really developed anymore. Not to mention mozilla as in-tree doesn't build with recent compilers... (the distros don't notice that since they bbuild with system-mozilla (or xulrunner) anyway and therefore automatically disable mozab) > People using the Mozilla address book are usually also using Mozilla. And > here the usage pattern more often than not is to have Mozilla constantly > running for reading mails. This means that effectively, the address book > access does not work at all. > No, this is not just an issue to document, this is a real breaker of the > whole functionality. Maybe, but running mozilla all the time takes your memory to the kness anyway, so doing that isn't very common. Ina ddditin, the mozab stuff is *the* way in OOo to use a LDAP adress book which does not fall into your constructed usage pattern ;-) > I don't know enough about XULRunner, in particular which libs it includes, to > judge this. Is the address book stuff *really* part of the XULRunner? I doubt that. That's why I did that ironic statement ;) > Wouldn't it be a little ... fat than for a runner? Anyway, that's your Yep. > decision for your distribution. If it works - great! We use it already for the xmlsec stuff since using Mozilla itself is broken (XULRunner exactly is there to build the gecko/nss/nmpr using stuff against) Ok, means that I need to still be unsable to ship the mozab stuff... > It shouldn't be too hard to upgrade to mozilla 1.7.13 anyway given that mozilla > isn't really developed anymore. Maybe. But given that I doubt the necessity, have loads of other things to do, and this upgrade would perhaps take me a while (the original authors of the mozab integration are all gone, I inherited it), I hesitate to embark on this. > Maybe, but running mozilla all the time takes your memory to the kness anyway, > so doing that isn't very common. Hmm. My Mozilla is running all day long, and I *know* I'm not the only one :) > Ina ddditin, the mozab stuff is *the* way in OOo to use a LDAP adress book Well, yes, if I had the time I need, I'd replace the LDAP access with one bypassing Mozilla ... :-\ > I doubt that. That's why I did that ironic statement ;) Damn, seems my irony detector is broken.´Sorry :) > We use it already for the xmlsec stuff since using Mozilla itself is broken > (XULRunner exactly is there to build the gecko/nss/nmpr using stuff against) that's great. Does it also contain the LDAP stuff? IIRC, our Mozilla libs were also used for some LDAP configuration backend. > Ina ddditin, the mozab stuff is *the* way in OOo to use a LDAP adress book > Well, yes, if I had the time I need, I'd replace the LDAP access with one > bypassing Mozilla ... :-\ Please do.. > that's great. Does it also contain the LDAP stuff? IIRC, our Mozilla libs > were also used for some LDAP configuration backend. There's libldap from OpenLDAP... I don't see the sense in using *Mozilla* for if it there's OpenLDAP which main purpose is what? right, LDAP :) Historically, Mozilla->LDAP was used 'cause it hides the LDAP stuff behind a generic "address book" API, so we got it for free after we got the Mozilla Address Book. From today's perspective, this wasn't the best design decision ever ... Then, people started using the Mozilla LDAP libs since "it is there, isn't it?". Quite some layzeness involved, it seems :). Yes, migrating to OpenLDAP would be good ... There is also the problem that the mozilla-source-1.7.5 patch currently included in the sources is not good enough if one wants to build the Mozilla bits with the Visual Studio 2008 compiler. VS2008 is the recommended compiler for bulding dev300 sources for Windows as far as I know. There are prebuilt Mozilla binaries etc at http://tools.openoffice.org/moz_prebuild/680/ . What version of Mozilla do these correspond to? The same 1.7.5? In that case I guess it needs to be documented that for Windows, one cannot any longer build Mozilla, at least not using the same compiler that should be used for the rest of OOo, but one *must* use the prebuilt stuff. add to CC the fix of this problem is important for the new PIM function with Thunderbird/Lightning @rene: In CWS moz2seamonkey01, work is ongoing to replace the Mozilla code with SeaMonkey 1.1.x code. Would you agree to use this issue here as the general-purpose issue for the migration? It's the one existing issue which is closest to a general "replace the old stuff with some more recent code". All the other issues currently added to the CWS are somewhat more specific, and I'd like to have a general issue, too. fs: yes, you can do, I'll then simply file an other issue for sanitizing it by using OpenLDAP :) great. And yes, the OpenLDAP thing is a different story. Which I'd love to have, but somehow ... Fixed in CWS moz2seamonkey01. Actually, the credits for this go to Pierre Pasteau, who did nearly all the work. looks good, /me thinks This issue is closed automatically and wasn't rechecked in a current version of OOo. The fixed issue should be integrated in OOo since more than half a year. If you think this issue isn't fixed in a current version (OOo 3.1), please reopen it and change the field 'Target Milestone' accordingly. If you want to download a current version of OOo => http://download.openoffice.org/index.html If you want to know more about the handling of fixed/verified issues => http://wiki.services.openoffice.org/wiki/Handle_fixed_verified_issues Sorry this issue was wrongly closed. This issue will be reopened automatically. And will be set after that back to fixed/verified. Set to state 'fixed'. Set back to state 'verified/fixed'. Again. Sorry for the mass of mails. |