[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Using the same nss in all suites



On Fri, Nov 06, 2015 at 05:22:15PM +0100, Guido Günther wrote:
> Hi,
> On Thu, Nov 05, 2015 at 09:00:51PM +0100, Florian Weimer wrote:
> > * Mike Hommey:
> > 
> > > On ABI stability, both NSPR and NSS have a very strict policy. NSPR
> > > receives very few ABI changes, and it's only adding new functions. NSS
> > > has much more ABI changes, but also only adding new functions.
> > 
> > This is incorrect, there have been unplanned ABI changes related to
> > SSL_ImplementedCiphers variable:
> > 
> >   <http://openwall.com/lists/oss-security/2015/09/07/6>
> > 
> > I will fix the glibc warning to be much more explicit about this.
> 
> Wow, that one is ugly.
> 
> > 
> > > The biggest issue with NSS version bumps is that defaults change,
> > > such as cyphers, protocols, etc. That can have unexpected
> > > consequences on existing setups.
> > 
> > The typical complaint with NSS is the opposite, tha the defaults do
> > not change fast enough.  Iceweasel/Mozilla PSM overrides basically all
> > the settings, so what you see there does not reflect upstream NSS
> > defaults.
> > 
> > (This is a significant concern for Fedora and its downstream because
> > of the attempt crypto consolidation to NSS and greater NSS usage
> > there.)
> 
> But is this worse than backporting? In this case conservative would be
> good for what we want to do.

I wonder how to move forward with this? I'll start preparing packages so
we can at least to some testing and maybe provide current versions via
backports.
Cheers,
 -- Guido


Reply to: