Re: Using the same nss upstream version in all suites?

To: debian-release@lists.debian.org
Subject: Re: Using the same nss upstream version in all suites?
From: anarcat <anarcat@debian.org>
Date: Thu, 07 Apr 2016 16:15:36 -0400
Message-id: <[🔎] 87shyxqion.fsf@angela.anarcat.ath.cx>
References: <20151231105553.GA3112@bogon.m.sigxcpu.org> <20151231121319.GA5839@bogon.m.sigxcpu.org> <20160229205831.GA10440@bogon.m.sigxcpu.org>

On 2016-02-29 15:58:31, Guido Günther wrote:
> On Thu, Dec 31, 2015 at 01:13:19PM +0100, Guido Günther wrote:
>> Hi release team,
>> on the LTS list we discussed if it would be feasible to have the same
>> nspr/nss[1] upstream version in all suites (nameley testing, stable,
>> oldstable, oldoldstable). There are several reasons for this:
>> 
>>   * Doing so would reduce the number of embedded code copies in
>>     icedove/iceweasel/chromium/.... They currently become necessary at
>>     one point once the version shipped in stable becomes too old.
>> 
>>   * NSS receives frequent security updates that currently requires
>>     backporting the patches to very different versions
>> 
>>   * Backporting NSS patches becomes much harder over the years so
>>     introducing a new version might become less risky than doing the
>>     backport.
>> 
>>   * NSS/NSPR have strict ABI policies[2] to not break backward
>>     compatibility.
>> 
>>   * Security bugs are often restricted on the mozilla bug tracker for
>>     a long time so we know there _is_ a bug but might not know what it
>>     is until the bug is publicaly accessible.
>> 
>>   * We would have the same crypto policies for programs linked against
>>     nss in all suites.
>> 
>> As a first step we discussed if it would be possible to introduce the
>> new nspr/nss versions via stable point releases. This would allow us to
>> ask for testing via the proposed-updates repo while still being able to
>> fix any regressions via a DSA. Backporting would become simpler since
>> the same backporting would happen for stable/oldstable and oldoldstable
>> and the diff to the new upstream version is minimal.
>> 
>> In order to improve confidence in nss upstream releases we enable the
>> test suite during the build and added some basic autopkg tests[3,4].
>> 
>> Would it be o.k. for the release team to handle new nss/nspr versions
>> via stable point releases?
>
> Now that squeeze moves out of support would it be o.k. to update nss via
> p-u for stable and oldstable?

I would also like to support Brian here. As I described here:

http://lists.debian.org/874mbpuiyz.fsf@angela.anarcat.ath.cx

... some issues in wheezy can't easily be fixed by backporting
patches. CVE-2015-4000, for example, is a major undertaking which
involves patching a lot of stuff, way more than the original patchset to
fix the vulnerability.

Some patches just don't make any sense at all because they affect the
TLS 1.2 vulnerability, which is simply not available in Wheezy. Using
the same suite there would also fix that problem.

It would also make sense NSS is basically part of Firefox, which *has*
the same version in all suites.

Any feedback on that?

Thanks!

A.

-- 
Education is the most powerful weapon which we can use to change the
world.
                       - Nelson Mandela

Reply to:

Follow-Ups:
- Re: Using the same nss upstream version in all suites?
  - From: Julien Cristau <jcristau@debian.org>

Prev by Date: Processed: your mail
Next by Date: Re: arch all package's missing dependency on i386 prevents testing migration
Previous by thread: Processed: your mail
Next by thread: Re: Using the same nss upstream version in all suites?
Index(es):
- Date
- Thread