Re: Using the same nss in all suites

To: Florian Weimer <fw@deneb.enyo.de>
Cc: Mike Hommey <mh@glandium.org>, team@security.debian.org, debian-lts@lists.debian.org
Subject: Re: Using the same nss in all suites
From: Guido Günther <agx@sigxcpu.org>
Date: Fri, 6 Nov 2015 17:22:15 +0100
Message-id: <[🔎] 20151106162215.GB9689@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, Florian Weimer <fw@deneb.enyo.de>, Mike Hommey <mh@glandium.org>, team@security.debian.org, debian-lts@lists.debian.org
In-reply-to: <[🔎] 87y4ecgqrw.fsf@mid.deneb.enyo.de>
References: <[🔎] 20151105072547.GA4006@bogon.m.sigxcpu.org> <[🔎] 20151105073056.GA29179@glandium.org> <[🔎] 87y4ecgqrw.fsf@mid.deneb.enyo.de>

Hi,
On Thu, Nov 05, 2015 at 09:00:51PM +0100, Florian Weimer wrote:
> * Mike Hommey:
> 
> > On ABI stability, both NSPR and NSS have a very strict policy. NSPR
> > receives very few ABI changes, and it's only adding new functions. NSS
> > has much more ABI changes, but also only adding new functions.
> 
> This is incorrect, there have been unplanned ABI changes related to
> SSL_ImplementedCiphers variable:
> 
>   <http://openwall.com/lists/oss-security/2015/09/07/6>
> 
> I will fix the glibc warning to be much more explicit about this.

Wow, that one is ugly.

> 
> > The biggest issue with NSS version bumps is that defaults change,
> > such as cyphers, protocols, etc. That can have unexpected
> > consequences on existing setups.
> 
> The typical complaint with NSS is the opposite, tha the defaults do
> not change fast enough.  Iceweasel/Mozilla PSM overrides basically all
> the settings, so what you see there does not reflect upstream NSS
> defaults.
> 
> (This is a significant concern for Fedora and its downstream because
> of the attempt crypto consolidation to NSS and greater NSS usage
> there.)

But is this worse than backporting? In this case conservative would be
good for what we want to do.

Cheers,
 -- Guido

Reply to:

Follow-Ups:
- Re: Using the same nss in all suites
  - From: Guido Günther <agx@sigxcpu.org>
- Re: Using the same nss in all suites
  - From: Florian Weimer <fw@deneb.enyo.de>
- Unidentified subject!
  - From: Guido Günther <agx@sigxcpu.org>

References:
- Using the same nss in all suites
  - From: Guido Günther <agx@sigxcpu.org>
- Re: Using the same nss in all suites
  - From: Mike Hommey <mh@glandium.org>
- Re: Using the same nss in all suites
  - From: Florian Weimer <fw@deneb.enyo.de>

Prev by Date: Re: Testing mysql-5.5 on squeeze
Next by Date: Re: Unsupported packages for Wheezy LTS
Previous by thread: Re: Using the same nss in all suites
Next by thread: Re: Using the same nss in all suites
Index(es):
- Date
- Thread