Re: Using the same nss in all suites
On Thu, Nov 05, 2015 at 08:25:47AM +0100, Guido Günther wrote:
> Hi,
>
> Backporting fixes for nss can become a challenge over time due to:
>
> * Bugs related to MFAs (often containing test cases) being restricted so
> one can only look at hg and try to find all the relevant commits.
>
> * The library has rather frequent security updates
>
> * The code diverges over the years
>
>
> I haven't found an explicit statement about ABI stability on the nss
> site but RedHat and others seem to be doing fine with always using the
> latest version in all suites and I wonder if we should do the same. This
> would probably include updating the nspr dependency from time to time
> too.
>
> I wonder what's the maintainers and security teams stance on this?
> Should we do this? Should we start with this during Jessie? If so I
> would be happy to prepare packages for the different distributions and
> do some testing.
On ABI stability, both NSPR and NSS have a very strict policy. NSPR
receives very few ABI changes, and it's only adding new functions. NSS
has much more ABI changes, but also only adding new functions.
The biggest issue with NSS version bumps is that defaults change, such
as cyphers, protocols, etc. That can have unexpected consequences on
existing setups.
Mike
Reply to: