Re: Using the same nss in all suites

To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: Florian Weimer <fw@deneb.enyo.de>, Mike Hommey <mh@glandium.org>, team@security.debian.org, debian-lts@lists.debian.org
Subject: Re: Using the same nss in all suites
From: Guido Günther <agx@sigxcpu.org>
Date: Thu, 31 Dec 2015 11:55:53 +0100
Message-id: <[🔎] 20151231105553.GA3112@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, Moritz Muehlenhoff <jmm@inutil.org>, Florian Weimer <fw@deneb.enyo.de>, Mike Hommey <mh@glandium.org>, team@security.debian.org, debian-lts@lists.debian.org
In-reply-to: <[🔎] 20151214170433.GA25204@inutil.org>
References: <20151105072547.GA4006@bogon.m.sigxcpu.org> <20151105073056.GA29179@glandium.org> <87y4ecgqrw.fsf@mid.deneb.enyo.de> <20151106162215.GB9689@bogon.m.sigxcpu.org> <87d1uyuz04.fsf@mid.deneb.enyo.de> <[🔎] 20151214170433.GA25204@inutil.org>

Hi Moritz,
On Mon, Dec 14, 2015 at 06:04:33PM +0100, Moritz Muehlenhoff wrote:
> On Wed, Nov 25, 2015 at 11:58:19AM +0100, Florian Weimer wrote:
> > * Guido Günther:
> > 
> > > On Thu, Nov 05, 2015 at 09:00:51PM +0100, Florian Weimer wrote:
> > >> * Mike Hommey:
> > >> > The biggest issue with NSS version bumps is that defaults change,
> > >> > such as cyphers, protocols, etc. That can have unexpected
> > >> > consequences on existing setups.
> > >> 
> > >> The typical complaint with NSS is the opposite, tha the defaults do
> > >> not change fast enough.  Iceweasel/Mozilla PSM overrides basically all
> > >> the settings, so what you see there does not reflect upstream NSS
> > >> defaults.
> > >> 
> > >> (This is a significant concern for Fedora and its downstream because
> > >> of the attempt crypto consolidation to NSS and greater NSS usage
> > >> there.)
> > >
> > > But is this worse than backporting? In this case conservative would be
> > > good for what we want to do.
> > 
> > Yes, for mere backporting of new versions, this can be helpful.
> 
> OTOH, new Iceweasel ESR releases also deprecate insecure crypto features,
> so doing the same in nss seems somewhat acceptable to me.
> 
> We could move to new NSS releases in point releases and ask people to
> test these new packages from stable-proposed-updates (And continue to
> use isolated patches for security updates).

I think that makes sense for the current stable release and since we're
much closer to upstream, using isolated patches between point releases
should become simpler too.

For LTS we would then use new nss versions after a point release with
the next round of security updates (until we have point releases for LTS
as well).

One thing though is that we don't have a DSA for announcing the new
nss version in the point release but we don't have this for other
packages either. Did this turn out to be problematic for other packages
in the past that switch to new version in a point release?

Mike, do you have a opinion on this one or do care at all?

If this is the way forward I'll ask the release team if they're
o.k. with this.

Cheers,
 -- Guido

Reply to:

Follow-Ups:
- Re: Using the same nss in all suites
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: Using the same nss in all suites
  - From: Moritz Mühlenhoff <jmm@inutil.org>

References:
- Re: Using the same nss in all suites
  - From: Moritz Muehlenhoff <jmm@inutil.org>

Prev by Date: Re: squeeze update of tiff?
Next by Date: Re: Using the same nss in all suites
Previous by thread: Re: Using the same nss in all suites
Next by thread: Re: Using the same nss in all suites
Index(es):
- Date
- Thread