fix(mozjs128): drop scanner-flagged aes_archive.zip#17340
Closed
PawelWMS wants to merge 1 commit into
Closed
Conversation
PawelWMS
force-pushed
the
pawelwi/mozjs128-strip-aes-archive
branch
3 times, most recently
from
ddc3c17 to
af90ffa
Compare
PawelWMS
changed the title
The upstream `firefox-128.11.0esr.source.tar.xz` ships an
AES-encrypted ZIP fixture at
`firefox-128.11.0/third_party/rust/zip/tests/data/aes_archive.zip`
that comes from the cargo-vendored Rust `zip` crate's test suite.
That file trips the automated package-signing pipeline's deep
scanner with a benign encrypted-archive verdict, which fails the
SRPM signing step for mozjs128 even though the fixture is never
read at AZL build time -- the SpiderMonkey build only consumes
`js/src/`, and the cargo `zip` crate's test corpus is not
exercised by SpiderMonkey.
Mitigation: serve a downstream-modified Source0 with that single
file removed. The repack is deterministic so the resulting
tarball SHA-512 is reproducible from a fresh clone.
Files:
- `base/comps/components.toml`: remove the inline
`[components.mozjs128]` row (the dedicated component file is
auto-included by the `**/*.comp.toml` glob).
- `base/comps/mozjs128/mozjs128.comp.toml`: declare a
`[[components.mozjs128.source-files]]` block with
`replace-upstream = true` pointing at the locally-modified
tarball in the `pkgs_modified/mozjs128/` lookaside path
(SHA-512 = 39141838...370db2d).
- `base/comps/mozjs128/modify_source.sh`: deterministic script
that downloads the upstream `.tar.xz`, verifies its published
SHA-512, extracts, deletes the single `aes_archive.zip` leaf,
and repacks via `tar --sort=name --mtime --owner=0 --group=0
--numeric-owner | xz -T1 -9e`. Single-threaded xz keeps the
block-boundary layout (and therefore the SHA-512) host-CPU
independent.
- `locks/mozjs128.lock`: refreshed `input-fingerprint` to
reflect the new component definition.
- `specs/m/mozjs128/{mozjs128.spec,sources}`: re-rendered:
bumps `release_number` to 10, swaps the `sources` SHA-512 to
the modified-tarball hash, adds a `%changelog` entry.
PawelWMS
force-pushed
the
pawelwi/mozjs128-strip-aes-archive
branch
from
af90ffa to
2648707
Compare
📄❌ Rendered specs are out of dateFIX: — run this and commit the result: azldev component render mozjs128Or download the fix patch and apply it: gh run download 26179220266 -R microsoft/azurelinux -n rendered-specs-patch
git apply rendered-specs.patch
Content diffs`specs/m/mozjs128/mozjs128.spec`--- committed/specs/m/mozjs128/mozjs128.spec
+++ rendered/specs/m/mozjs128/mozjs128.spec
@@ -262,7 +262,7 @@
%changelog
## START: Generated by rpmautospec
* Mon May 18 2026 Pawel Winogrodzki <pawelwi@microsoft.com> - 128.11.0-10
-- mozjs128: drop scanner-flagged aes_archive.zip from Source0
+- fix(mozjs128): drop scanner-flagged aes_archive.zip from source0
* Thu Apr 30 2026 Daniel McIlvaney <damcilva@microsoft.com> - 128.11.0-9
- feat: introduce deterministic commit resolution via Azure Linux lock file
|
Contributor
Author
|
Superseded by #17368 (merged 2026-05-21), which removed |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Drop the single scanner-flagged file
firefox-128.11.0/third_party/rust/zip/tests/data/aes_archive.zipfrom mozjs128's Source0 via a downstreammodify_source.shrepack. The fixture is an AES-encrypted ZIP from the cargo-vendored Rustzipcrate's test suite that trips the automated package-signing pipeline's deep scanner with a benign encrypted-archive verdict, failing the SRPM signing step. It is never read at AZL build time — mozjs128 only consumesjs/src/.Files
base/comps/components.toml— remove the inline[components.mozjs128]row (the dedicated component file is auto-included by the**/*.comp.tomlglob).base/comps/mozjs128/mozjs128.comp.toml— declare[[components.mozjs128.source-files]]withreplace-upstream = truepointing at the locally-modified tarball inpkgs_modified/mozjs128/(SHA-51239141838…370db2d).base/comps/mozjs128/modify_source.sh— deterministic repack script: download upstream.tar.xz, verify published SHA-512, extract, delete the one fixture, repack viatar --sort=name --mtime --owner=0 --group=0 --numeric-owner | xz -T1 -9e. Single-threaded xz keeps the output hash host-CPU independent.locks/mozjs128.lock— refreshedinput-fingerprint.specs/m/mozjs128/{mozjs128.spec,sources}— re-rendered: bumpsrelease_numberto 10, swaps thesourcesSHA-512 to the modified tarball hash, adds a%changelogentry.Approach
Single-file strike (
aes_archive.ziponly) rather than a broader subtree strip — the only confirmed scanner detection on this SRPM is the single hit on this exact file. A minimal repack keeps the diff to a 4 MB delta against the upstream tarball and avoids breaking any of mozjs128's reverse-dependencies (cjs + the 8 cinnamon-* components).Supersedes the broader strip on #17208 (kept-only-
js/plus restored subtrees), which the build pipeline rejected.