On Thu, 23 Dec 2021 01:49:53 -0500 Andres Salomon <dilin...@queued.net> wrote:
> On 12/13/21 5:31 PM, Moritz Muehlenhoff wrote: > > On Sun, Dec 12, 2021 at 08:11:00PM -0500, Andres Salomon wrote: > >> On 12/5/21 6:41 AM, Moritz Mühlenhoff wrote: > >>> Am Sun, Dec 05, 2021 at 10:53:56AM +0100 schrieb Paul Gevers: > >>> Exactly that. > >>> > >>> I'd suggest anyone who's interested in seeing Chromium supported > >>> to first update it in unstable (and then work towards updated in > >>> bullseye-security). > >> I started doing just that: > >> https://salsa.debian.org/dilinger/chromium (v96 and misc-fixes > >> branches). > > As a side note: If any of the system/* patches cause issues, feel > > free to switch to the vendored copies. Vendoring in general is > > frowned upon since it requires that a fix in a libraries spreads > > out to all vendored copies, but for Chromium there's a steady > > stream of Chromium-internal security issues anyway, so for all > > practical purposes it doesn't make a difference if the Chromium > > security releases also include a fix for a vendored lib like ICU. > > > > Cheers, > > Moritz > > > I've got 96.0.4664.110 building on both bullseye and sid, and am > currently > > debugging some crashes. The only thing I had to vendor was some nodejs > > libraries, although it's very tempting to take a chainsaw through the > various > > patches and re-vendor a bunch of other libraries as Jeff suggested. > Still on > > the v96 branch of https://salsa.debian.org/dilinger/chromium > Alright, crashes are solved and the packages are now usable. After some cleanups (listing CVEs in changelogs, merging/pushing a bunch of commits in my branch, possibly dropping strong stack protection from builds to silence warnings from older clang versions, and going through lintian errors/warnings), it should be ready to upload. How should I handle this? NMU to sid, let people try it out, and then deal with buster/bullseye? Upload everything all at once? I'm also going to try building for buster, unless the security team doesn't think I should bother. That may involve vendoring some additional libraries, so we don't have to carry a bunch of additional patches. I also haven't heard from anyone on the chromium team yet - should I add myself as an uploader and do a normal (non-NMU) upload? Do any of them care? Thanks, Andres
