Re: Using the same nss in all suites
On Wed, Nov 25, 2015 at 11:58:19AM +0100, Florian Weimer wrote:
> * Guido Günther:
>
> > On Thu, Nov 05, 2015 at 09:00:51PM +0100, Florian Weimer wrote:
> >> * Mike Hommey:
> >> > The biggest issue with NSS version bumps is that defaults change,
> >> > such as cyphers, protocols, etc. That can have unexpected
> >> > consequences on existing setups.
> >>
> >> The typical complaint with NSS is the opposite, tha the defaults do
> >> not change fast enough. Iceweasel/Mozilla PSM overrides basically all
> >> the settings, so what you see there does not reflect upstream NSS
> >> defaults.
> >>
> >> (This is a significant concern for Fedora and its downstream because
> >> of the attempt crypto consolidation to NSS and greater NSS usage
> >> there.)
> >
> > But is this worse than backporting? In this case conservative would be
> > good for what we want to do.
>
> Yes, for mere backporting of new versions, this can be helpful.
OTOH, new Iceweasel ESR releases also deprecate insecure crypto features,
so doing the same in nss seems somewhat acceptable to me.
We could move to new NSS releases in point releases and ask people to
test these new packages from stable-proposed-updates (And continue to
use isolated patches for security updates).
Cheers,
Moritz
Reply to: