Re: Using the same nss in all suites
On Fri, Nov 06, 2015 at 05:22:15PM +0100, Guido Günther wrote:
> Hi,
> On Thu, Nov 05, 2015 at 09:00:51PM +0100, Florian Weimer wrote:
> > * Mike Hommey:
> >
> > > On ABI stability, both NSPR and NSS have a very strict policy. NSPR
> > > receives very few ABI changes, and it's only adding new functions. NSS
> > > has much more ABI changes, but also only adding new functions.
> >
> > This is incorrect, there have been unplanned ABI changes related to
> > SSL_ImplementedCiphers variable:
> >
> > <http://openwall.com/lists/oss-security/2015/09/07/6>
> >
> > I will fix the glibc warning to be much more explicit about this.
>
> Wow, that one is ugly.
>
> >
> > > The biggest issue with NSS version bumps is that defaults change,
> > > such as cyphers, protocols, etc. That can have unexpected
> > > consequences on existing setups.
> >
> > The typical complaint with NSS is the opposite, tha the defaults do
> > not change fast enough. Iceweasel/Mozilla PSM overrides basically all
> > the settings, so what you see there does not reflect upstream NSS
> > defaults.
> >
> > (This is a significant concern for Fedora and its downstream because
> > of the attempt crypto consolidation to NSS and greater NSS usage
> > there.)
>
> But is this worse than backporting? In this case conservative would be
> good for what we want to do.
I wonder how to move forward with this? I'll start preparing packages so
we can at least to some testing and maybe provide current versions via
backports.
Cheers,
-- Guido
Reply to: