Issue 66338 - replace Mozilla code/binaries shipped with / used by OOo with recent SeaMonkey
Summary: replace Mozilla code/binaries shipped with / used by OOo with recent SeaMonkey
Status: CLOSED FIXED
Alias: None
Product: General
Classification: Code
Component: code (show other issues)
Version: OOo 2.0.3
Hardware: All All
: P2 Trivial (vote)
Target Milestone: OOo 3.2
Assignee: Frank Schönheit
QA Contact: issues@framework
URL:
Keywords: oooqa
Depends on:
Blocks:
 
Reported: 2006-06-12 10:26 UTC by rene
Modified: 2017-05-20 10:28 UTC (History)
3 users (show)

See Also:
Issue Type: TASK
Latest Confirmation in: ---
Developer Difficulty: ---


Attachments

Note You need to log in before you can comment on or make changes to this issue.
Description rene 2006-06-12 10:26:37 UTC
Hi,

our mozilla in the tree is ooold (1.7.5) and since then many security bugs were 
found and fixed. As mozilla isn't developed anymore we probably should either 
switch to  XULRunner (but that might make problems with the mozab stuff - I am 
not sure whether XULRunner is "full" enough) or SeaMonkey.

And it should be possible to use system-"mozilla" *and* enable the mozab stuff 
which currently isn't :/

Regards,

Rene
Comment 1 thorsten.martens 2006-06-12 12:13:32 UTC
Not a OpenOffice-issue. Please assign issue to the appropiate
component/subcomponent.
Comment 2 rene 2006-06-12 14:28:33 UTC
wrong.

OOo uses mozilla at diverse places, and it uses mozilla 1.7.5.

I don't see why this isn't a OOo issue...
Comment 3 thorsten.martens 2006-06-14 10:38:36 UTC
TM->requirements: please have a look, thanks !
Comment 4 Frank Schönheit 2006-06-28 10:05:05 UTC
Since the Mozilla in our tree is in my responsibility, this issue would probably
be mine. Grabbing.

Lowering priority. If you think P2 is justified, please explain in more detail.

Yes, we should probably switch to either SeaMonkey or Thunderbird (XULRunner
won't do, I strongly suppose. The original intention to include Mozilla was the
address book stuff, which I doubt to be in XULRunner).

> And it should be possible to use system-"mozilla" *and* enable the mozab stuff 
> which currently isn't :/

This is possible as soon as Mozilla allows different processes to access the
same profile simultaneously
(https://bugzilla.mozilla.org/show_bug.cgi?id=135137). Without this, OOo could
not access Mozilla address books when a Mozilla is already running.
Comment 5 Frank Schönheit 2006-06-28 10:08:05 UTC
accepting
Comment 6 rene 2006-06-28 10:39:37 UTC
upgrading again.

For me it was a P1, too, but I already did lower it for filing.

This is a security issue. Our mozilla in-tree is ancient and has many known 
security bugs. We use this mozilla and ship it to the outside. No one even 
cared about updating mozilla....

As Mozilla isn't developed anymore, really it should be replaced.

> This is possible as soon as Mozilla allows different processes to access the
> same profile simultaneously
> (https://bugzilla.mozilla.org/show_bug.cgi?id=135137). Without this, OOo
> could not access Mozilla address books when a Mozilla is already running.

this is bad why? Just document that...

So I take it I can build against xulrunner and get the mozab functionality 
(baring the lock problem). Building against Mozilla is no option (planned to be 
removed from Debian soon) for example.

Comment 7 Frank Schönheit 2006-06-28 11:24:57 UTC
> This is a security issue. Our mozilla in-tree is ancient and has many known 
> security bugs. We use this mozilla and ship it to the outside.

What we use from the Mozilla binraies we ship is:
- Address Book functionality
- LDAP libaries
- security/encryption libraries

To my best knowledge, there have been no security issues in those areas since
Mozilla 1.7.5. Nothing else from Mozilla is shipped/used. So, "It has many know
security bugs" is not really convincing to me.

> As Mozilla isn't developed anymore, really it should be replaced.

That itself isn't convincing, too. I won't invest effort into this without a
good reason to do so (however I will not block efforts invested by others :).

>> Without this, OOo could not access Mozilla address books when a Mozilla
>> is already running.
> this is bad why? Just document that...

People using the Mozilla address book are usually also using Mozilla. And here
the usage pattern more often than not is to have Mozilla constantly running for
reading mails. This means that effectively, the address book access does not
work at all.
No, this is not just an issue to document, this is a real breaker of the whole
functionality.

> So I take it I can build against xulrunner and get the mozab functionality 
> (baring the lock problem).

I don't know enough about XULRunner, in particular which libs it includes, to
judge this. Is the address book stuff *really* part of the XULRunner? Wouldn't
it be a little ... fat than for a runner? Anyway, that's your decision for your
distribution. If it works - great!
Comment 8 rene 2006-06-28 11:45:13 UTC
> What we use from the Mozilla binraies we ship is:
> - Address Book functionality
> - LDAP libaries
> - security/encryption libraries
> 
> To my best knowledge, there have been no security issues in those areas since
> Mozilla 1.7.5. Nothing else from Mozilla is shipped/used. So, "It has many
> know security bugs" is not really convincing to me.

It doesn't matter really..
You ship loads of mozilla core libraries, too..
It shouldn't be too hard to upgrade to mozilla 1.7.13 anyway given that mozilla 
isn't really developed anymore.

Not to mention mozilla as in-tree doesn't build with recent compilers...
(the distros don't notice that since they bbuild with system-mozilla (or 
xulrunner) anyway and therefore automatically disable mozab)
> People using the Mozilla address book are usually also using Mozilla. And 
> here the usage pattern more often than not is to have Mozilla constantly
> running for reading mails. This means that effectively, the address book
> access does not work at all.
> No, this is not just an issue to document, this is a real breaker of the
> whole functionality.

Maybe, but running mozilla all the time takes your memory to the kness anyway, 
so doing that isn't very common. Ina ddditin, the mozab stuff is *the* way in 
OOo to use a LDAP adress book which does not fall into your constructed usage 
pattern ;-)

> I don't know enough about XULRunner, in particular which libs it includes, to
> judge this. Is the address book stuff *really* part of the XULRunner? 

I doubt that. That's why I did that ironic statement ;)

> Wouldn't it be a little ... fat than for a runner? Anyway, that's your

Yep.

> decision for your distribution. If it works - great!

We use it already for the xmlsec stuff since using Mozilla itself is broken
(XULRunner exactly is there to build the gecko/nss/nmpr using stuff against)

Ok, means that I need to still be unsable to ship the mozab stuff...
Comment 9 Frank Schönheit 2006-06-28 11:59:01 UTC
> It shouldn't be too hard to upgrade to mozilla 1.7.13 anyway given that mozilla
> isn't really developed anymore.

Maybe. But given that I doubt the necessity, have loads of other things to do,
and this upgrade would perhaps take me a while (the original authors of the
mozab integration are all gone, I inherited it), I hesitate to embark on this.

> Maybe, but running mozilla all the time takes your memory to the kness anyway,
> so doing that isn't very common.
Hmm. My Mozilla is running all day long, and I *know* I'm not the only one :)

> Ina ddditin, the mozab stuff is *the* way in OOo to use a LDAP adress book
Well, yes, if I had the time I need, I'd replace the LDAP access with one
bypassing Mozilla ... :-\

> I doubt that. That's why I did that ironic statement  ;) 
Damn, seems my irony detector is broken.´Sorry :)

> We use it already for the xmlsec stuff since using Mozilla itself is broken
> (XULRunner exactly is there to build the gecko/nss/nmpr using stuff against)

that's great. Does it also contain the LDAP stuff? IIRC, our Mozilla libs were
also used for some LDAP configuration backend.
Comment 10 rene 2006-06-28 12:05:40 UTC
> Ina ddditin, the mozab stuff is *the* way in OOo to use a LDAP adress book
> Well, yes, if I had the time I need, I'd replace the LDAP access with one
> bypassing Mozilla ... :-\

Please do..

> that's great. Does it also contain the LDAP stuff? IIRC, our Mozilla libs 
> were also used for some LDAP configuration backend.

There's libldap from OpenLDAP...
I don't see the sense in using *Mozilla* for if it there's OpenLDAP which main 
purpose is what? right, LDAP :)
Comment 11 Frank Schönheit 2006-06-28 12:32:10 UTC
Historically, Mozilla->LDAP was used 'cause it hides the LDAP stuff behind a
generic "address book" API, so we got it for free after we got the Mozilla
Address Book. From today's perspective, this wasn't the best design decision
ever ... Then, people started using the Mozilla LDAP libs since "it is there,
isn't it?".

Quite some layzeness involved, it seems :).

Yes, migrating to OpenLDAP would be good ...
Comment 12 tml 2008-04-29 12:27:15 UTC
There is also the problem that the mozilla-source-1.7.5 patch currently included
in the sources is not good enough if one wants to build the Mozilla bits with
the Visual Studio 2008 compiler. VS2008 is the recommended compiler for bulding
dev300 sources for Windows as far as I know.

There are prebuilt Mozilla binaries etc at
http://tools.openoffice.org/moz_prebuild/680/ . What version of Mozilla do these
correspond to? The same 1.7.5? In that case I guess it needs to be documented
that for Windows, one cannot any longer build Mozilla, at least not using the
same compiler that should be used for the rest of OOo, but one *must* use the
prebuilt stuff. 
Comment 13 Mechtilde 2008-07-30 16:43:17 UTC
add to CC 

the fix of this problem is important for the new PIM function with
Thunderbird/Lightning

Comment 14 Frank Schönheit 2008-12-11 09:11:05 UTC
@rene:
In CWS moz2seamonkey01, work is ongoing to replace the Mozilla code with
SeaMonkey 1.1.x code. Would you agree to use this issue here as the
general-purpose issue for the migration? It's the one existing issue which is
closest to a general "replace the old stuff with some more recent code". All the
other issues currently added to the CWS are somewhat more specific, and I'd like
to have a general issue, too.
Comment 15 rene 2008-12-11 09:19:34 UTC
fs: yes, you can do, I'll then simply file an other issue for sanitizing it by
using OpenLDAP :)
Comment 16 Frank Schönheit 2008-12-11 09:42:42 UTC
great. And yes, the OpenLDAP thing is a different story. Which I'd love to have,
but somehow ...
Comment 17 Frank Schönheit 2009-03-05 20:06:07 UTC
Fixed in CWS moz2seamonkey01. Actually, the credits for this go to Pierre
Pasteau, who did nearly all the work.
Comment 18 Frank Schönheit 2009-06-03 12:12:28 UTC
looks good, /me thinks
Comment 19 thorsten.ziehm 2009-07-20 14:55:15 UTC
This issue is closed automatically and wasn't rechecked in a current version of
OOo. The fixed issue should be integrated in OOo since more than half a year. If
you think this issue isn't fixed in a current version (OOo 3.1), please reopen
it and change the field 'Target Milestone' accordingly.

If you want to download a current version of OOo =>
http://download.openoffice.org/index.html
If you want to know more about the handling of fixed/verified issues =>
http://wiki.services.openoffice.org/wiki/Handle_fixed_verified_issues
Comment 20 thorsten.ziehm 2009-07-20 15:35:13 UTC
Sorry this issue was wrongly closed. This issue will be reopened automatically.
And will be set after that back to fixed/verified.
Comment 21 thorsten.ziehm 2009-07-20 15:39:47 UTC
Set to state 'fixed'.
Comment 22 thorsten.ziehm 2009-07-20 15:44:04 UTC
Set back to state 'verified/fixed'.

Again. Sorry for the mass of mails.