chromium-browser-stable-21.0.1180.81 is already in the cauldron, could be available in Mageia 2 repository /core/updates_testing/

CC: (none) => frateraec

I up, last release is 23.x, still 21 :(

"http://www.chromium.org/getting-involved/dev-channel#TOC-Linux"

thank you

CC: (none) => inster.css

oupsss, i want for mageia 3 sorry

*** Bug 8300 has been marked as a duplicate of this bug. ***

*** Bug 8327 has been marked as a duplicate of this bug. ***

CC: (none) => adrien.daugabel+mga

Probably would be a good idea to sync our package with OpenSuSE as much as possible, as they do the best job of any distro out there of keeping it updated.

Their most recent advisory for it is from today (December 21):
http://lists.opensuse.org/opensuse-updates/2012-12/msg00073.html

They updated it to 25.0.1362

It doesn't appear to be maintained anymore in Mandriva, who we used to sync with.

ROSA does maintain it and their package of course is based on Mandriva's.

ROSA most recently updated it to 23.0.1271.97 on December 12:
https://abf.rosalinux.ru/import/chromium-browser-stable/tree/rosa2012.1

CC: (none) => luigiwalser

v8 should also be updated along with this, as there are two security issues.

CC: (none) => oe
Depends on: (none) => 8567

With the originating request for the version in Cauldron, not certain from the above comments whether Chromium in Mageia 2 is being considered for a security upgrade.

If not it should be.  Would that require a separate bug report?

CC: (none) => bobhombre

nop we use the whiteboard when we have bugs that affect several release with version on the highest.

OpenSuSE has issued an advisory on February 4:
http://lists.opensuse.org/opensuse-updates/2013-02/msg00005.html

It updates to 26.0.1383, fixing several more security issues.

from http://lwn.net/Vulnerabilities/536111/

The version of Chromium of Mageia 2 is very outdated, Google already have a stable version of Chrome 25.0.1364.97

Downloading continuous Chromium builds.

Chromium builds do not auto-update, and do not have symbols. This makes them most useful for checking whether a claimed fix actually works. The most recent Chromium build from the build waterfall is available at http://download-chromium.appspot.com. Use the following instructions to find earlier builds:
1. Head to http://commondatastorage.googleapis.com/chromium-browser-snapshots/index.html
2. Choose your platform: Mac, Windows, Linux, ChromiumOS
3. Pick the Chromium build number you'd like to use
---1. The latest one is mentioned in the LAST_CHANGE file
4. Download the zip file containing Chromium
5. There is a binary executable within to run. ( $ ./chrome )
Please, file bugs as appropriate. http://code.google.com/p/chromium/issues/entry

OpenSuSE has issued an advisory today (March 14):
http://lists.opensuse.org/opensuse-updates/2013-03/msg00045.html

It updates to 27.0.1425, fixing several more security issues.

from http://lwn.net/Vulnerabilities/542922/

Any volunteer to update chromium?

CC: (none) => pierre-malo.denielou

I use chromium browser.

If you want, I build my own RPM (without signature) and I share my RPM on mageialinux-online.org.

You can test my RPM but I don't guarantee they do not break your machine.

http://linuxtricks.asso-linux-online.fr/adrien/rpm/mga2/x86_64/chromium-browser-stable-25.0.1364.172-1.mga2.x86_64.rpm

http://linuxtricks.asso-linux-online.fr/adrien/rpm/mga2/i586/chromium-browser-stable-25.0.1364.172-1.mga2.i586.rpm

Adrien, you should join our packager team, and directly produce packages for everyone! I can mentor you if you want.

I still think we should drop Chromium.

The workaround is quite easy:

Google has repo for Chrome @ http://dl.google.com/linux/chrome/rpm/stable/<ARCH> - so long it seems to work fine on Mageia 2 and also on Mageia 3 (cauldron). We can add howto into errata.

Chromium has been problem since Mageia 1 and we shouldn't release software that we can't maintain.

Repository google-chrome:

# urpmi.addmedia --update google-chrome http://dl.google.com/linux/chrome/rpm/stable/$(uname -m | sed -e "s/i.86/i386/")

Google Chrome isn't opensource.

Chromium browser yes ;)

I would like use chromium for this thing.

I had mentioned how to get Chromium binaries:

https://bugs.mageia.org/show_bug.cgi?id=6927#c12

please test new cauldron package

What about Mageia 2? It should be updated there first..

CC: (none) => sander.lepik

(In reply to Sander Lepik from comment #22)
> What about Mageia 2? It should be updated there first..

Actually things should always be updated in Cauldron first.

Of course in this particular case, I was under the impression we were dropping this for Cauldron due to being unable to consistently maintain it.

(In reply to Sander Lepik from comment #22)
> What about Mageia 2? It should be updated there first..

i need tests i won't upload broken stuffs in mga2

(In reply to David Walser from comment #23)
> (In reply to Sander Lepik from comment #22)
> > What about Mageia 2? It should be updated there first..
> 
> Actually things should always be updated in Cauldron first.
> 
> Of course in this particular case, I was under the impression we were
> dropping this for Cauldron due to being unable to consistently maintain it.

i worked on it.

(In reply to D Morgan from comment #24)
> (In reply to Sander Lepik from comment #22)
> > What about Mageia 2? It should be updated there first..
> 
> i need tests i won't upload broken stuffs in mga2

We have testing for that. You only work on the very late state on cauldron and then forget it. That's not the way to go. You did this during Mageia 2 release and you are doing it again. You are keeping users out there with unpatched version of Chromium - do you understand that?

Mageia 2 went out with version 18 and is now on version 20. WTF? Be honest and finally admit it that you can't keep it up to date and it's time to drop it.

Security related bugs should be taken care first on stable release!

Sorry for the harsh words but I'm quite pissed about it. It's been going on and on and on. It's time to stop..

Hi,


As I open this ticket ...

I am agree with Sander to drop Chromium from Mageia because it seems it is impossible to have a Chromium package up to date during all releases and all relases have always security fixes. Just see till the start of Mageia

Nobody's fault !!! just an observation --> it seems the only one browser to be supported must be Firefox even if I prefer Chrome/Chromium ;)

Personaly I use Chrome (red hat / fedora) RPM's that can be downloaded from Google.
I know it is not free as Chromium but with that I have latest stable version with all security fixes in time ...

(In reply to Sander Lepik from comment #26)
> Mageia 2 went out with version 18 and is now on version 20. WTF? Be honest
> and finally admit it that you can't keep it up to date and it's time to drop
> it.

I agree with this.  I don't fault anyone for this either, it's a lot of work to maintain this package consistently, and nobody has the time and interest to do it.

> Security related bugs should be taken care first on stable release!

Again, that's absolutely incorrect.

There are some problems with PNG images :

http://img93.xooimage.com/files/d/1/c/screen12-3ce270a.png

(MGA 3 - 32bits)

If other people have the same problem, you can try to change the line 132 :

-         -Duse_system_libpng=1 \
+         -Duse_system_libpng=0 \

Thanks

yes but this is not really the good solution :( ( i would like a real fix instead ).

it seems this is not built with system png in fact, as in the terminal we can see : 

libpng warning: Application built with libpng-1.2.45 but running with 1.5.13

It's OK now ! Without libpng !

D Morgan, looks like you just pushed a build to nonfree.  I'm guessing that was meant to be tainted.  Also, don't forget to fix v8 also (Bug 8567), especially since one of your builds is using the system one now.

minizip-devel couldn't exists on Mageia2.

You must change the spec file ;)

The release tag should be set to 1 for the Mageia 2 build.

Created attachment 3653 [details]
My Spec File, Backported from ROSA

If you want, i share you my spec file for Mageia2, backported from ROSA Labs.
My chromium source isn't the same, but I do not lose anything to share my work.

we don't use rosa spec file. and rosa spec file is from mdv one ( which is use ).
For mga2 this is a linking issue because of the use of the bundle minizip.

I close this bugreport as cauldron is now updated.

Status: NEW => RESOLVED
Resolution: (none) => FIXED

(In reply to D Morgan from comment #37)
> we don't use rosa spec file. and rosa spec file is from mdv one ( which is
> use ).
> For mga2 this is a linking issue because of the use of the bundle minizip.
> 
> I close this bugreport as cauldron is now updated.

Seriously!? WTF?!? This bug is filed against Mageia 2 and you are closing it? What's wrong with you? :/ I repeat, if you can't keep it up-to-date on stable release it's time to drop it!

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

Hi,

It is really time to know what to do with Chromium !
Now it is more a 'bad joke' than anything else :/

Rmk:
And you probably know that you just have a new release --> 26.0.1410.43 ... so what ? new ticket and waiting 8 months ?

A+
Raph

chromium is now up to date ( building minizip in zlib ).

But help is welcome isn't of insulting. 

apologize expected ...


Please QA team test this new version. This maybe have pbs as i built with system libpng ( this can be detected by graphical issues in the main interface ).


This have to be pushed with zlib ( as we build with minizip coming from zlib and wasn't available with mga2 )

for the advisory here is the bug fixed in this new version :

    [$1000] [172342] High CVE-2013-0916: Use-after-free in Web Audio. Credit to Atte Kettunen of OUSPG.
    [180909] Low CVE-2013-0917: Out-of-bounds read in URL loader. Credit to Google Chrome Security Team (Cris Neckar).
    [180555] Low CVE-2013-0918: Do not navigate dev tools upon drag and drop. Credit to Vsevolod Vlasov of the Chromium development community.
    [Linux only] [178760] Medium CVE-2013-0919: Use-after-free with pop-up windows in extensions. Credit to Google Chrome Security Team (Mustafa Emre Acer).
    [177410] Medium CVE-2013-0920: Use-after-free in extension bookmarks API. Credit to Google Chrome Security Team (Mustafa Emre Acer).
    [174943] High CVE-2013-0921: Ensure isolated web sites run in their own processes.
    [174129] Low CVE-2013-0922: Avoid HTTP basic auth brute force attempts. Credit to ât3553râ.
    [169981] [169972] [169765] Medium CVE-2013-0923: Memory safety issues in the USB Apps API. Credit to Google Chrome Security Team (Mustafa Emre Acer).
    [169632] Low CVE-2013-0924: Check an extensionâs permissions API usage again file permissions. Credit to Benjamin Kalman of the Chromium development community.
    [168442] Low CVE-2013-0925: Avoid leaking URLs to extensions without the tabs permissions. Credit to Michael Vrable of Google.
    [112325] Medium CVE-2013-0926: Avoid pasting active tags in certain situations. Credit to Subho Halder, Aditya Gupta, and Dev Kar of xys3c (xysec.com).

(In reply to D Morgan from comment #41)
> for the advisory here is the bug fixed in this new version :

Some of those probably don't even apply to the version we currently have in 2.

If we're gonna do the advisory right, we need to list the CVEs that actually affect the version we currently have, that have since been fixed.  That would include ones fixed in previous versions, but not vulnerabilities introduced in intermediate versions...probably hard to determine the correct list.  Might be better just to say this update fixes multiple unspecified vulnerabilities.

i think yes this would be simpler to tell "this update fixes multiple unspecified vulnerabilities."

Thanks for chomium for MGA2.

But, I have dependances zlib-devel for me, but, for a dektop computer, i don't need devel library for zlib.

Is it possible to not force the devel library to install on these computers ?

it doesn't require zlib-devel but libminizip.so.1

you can reassign to the QA when it's ready (with the list of srpm) thanks

Source RPM: chromium-browser-stable-20.0.1132.57-2.1.mga2 => chromium-browser-stable-26.0.1410.51-1.mga2

@Raphaël Vinet: can you "end" this "bad joke" and test ?

The following packages will require linking:
libprotobuf6-2.4.1-1.mga2 (Core 32bit Release)
lib64protobuf6-2.4.1-1.mga2 (Core Release))

D Morgan, I've tested both arches.  If you'll assign this
to qa, I'll validate the update.

CC: (none) => davidwhodgins

Hi,

Last time with Chromium in Mageia for me because I don't believe anymore in the durability of this package and I will not recommend the use of this browser.

I installed the package (+ 2 dependancies).

Problem with Google synchronisation. 

In french 'Petit problème ... la synchronisation s'est arrêtée'. As written in help page frome Google I did:

- Disconnect from google account when using Chrome (no problem with it)
- Quit Chrome
- Be sure that no Chrome process was running
... but nothing good

Even after deleted all chrome / chromium directories / files, start a fresh Chromium session ... no way to do the connection and the synchronisation from Google

i can reproduce on cauldron. i will ask chromium devs.

(In reply to D Morgan from comment #50)
> i can reproduce on cauldron. i will ask chromium devs.

While it worked fine for the testing I did,
I'll hold off validating the update till
this is clarified.

as this fix a lot of CVE ( some HIGH ), i don't know if this is a good idea to hold off the update.

As i will push new updates as soon as they are available.

As per comment 52, I'll go ahead and validate this update.

Could someone from the sysadmin team push the srpm
chromium-browser-stable-26.0.1410.51-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.
and link the rpm packages
libprotobuf6-2.4.1-1.mga2 (Core 32bit Release)
lib64protobuf6-2.4.1-1.mga2 (Core Release))
from Core Release to Core Updates.

Please see comment 41 for the advisory.

Keywords: (none) => validated_update
Whiteboard: feedback => MGA2-64-OK MGA2-32-OK
CC: (none) => sysadmin-bugs

it needs libminizip too ( so a push on zlib )

Packages linked and update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0113

Status: REOPENED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

zlib is not pushed (comment #54).

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

It's libminizip and libminizip-devel no ?

There are in Mageia Core Update Testing !

(In reply to Adrien D from comment #57)
> It's libminizip and libminizip-devel no ?
> 
> There are in Mageia Core Update Testing !

They are all provided by zlib SRPM.

should be OK Now

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED

Reassigning to QA so it stays in the right searches

Assignee: sysadmin-bugs => qa-bugs