Re: Using the same nss in all suites

To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: Guido Günther <agx@sigxcpu.org>, Mike Hommey <mh@glandium.org>, team@security.debian.org, debian-lts@lists.debian.org
Subject: Re: Using the same nss in all suites
From: Florian Weimer <fw@deneb.enyo.de>
Date: Mon, 14 Dec 2015 18:32:46 +0100
Message-id: <[🔎] 87twnl7x6p.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 20151214170433.GA25204@inutil.org> (Moritz Muehlenhoff's message of "Mon, 14 Dec 2015 18:04:33 +0100")
References: <20151105072547.GA4006@bogon.m.sigxcpu.org> <20151105073056.GA29179@glandium.org> <87y4ecgqrw.fsf@mid.deneb.enyo.de> <20151106162215.GB9689@bogon.m.sigxcpu.org> <87d1uyuz04.fsf@mid.deneb.enyo.de> <[🔎] 20151214170433.GA25204@inutil.org>

* Moritz Muehlenhoff:

(NSS backwards compatibility)

>> Yes, for mere backporting of new versions, this can be helpful.
>
> OTOH, new Iceweasel ESR releases also deprecate insecure crypto features,
> so doing the same in nss seems somewhat acceptable to me.

NSS is far more radical than that: Upstream does not enable new
algorithms and protocol versions by default (which are generally
considered improvements, such as TLS 1.2).  This is gradually
changing, but it is an extremely slow process.

Firefox basically overrides *every* NSS default.

Reply to:

References:
- Re: Using the same nss in all suites
  - From: Moritz Muehlenhoff <jmm@inutil.org>

Prev by Date: Re: Using the same nss in all suites
Next by Date: Re: squeeze update of cacti?
Previous by thread: Re: Using the same nss in all suites
Next by thread: Re: Using the same nss in all suites
Index(es):
- Date
- Thread