Re: Regression problem, call for advice Re: Call for advice and testing of nss (and nspr) and intention to upload correction
- To: Ola Lundqvist <ola@inguza.com>
- Cc: Ben Hutchings <ben@decadent.org.uk>, Jiří Jánský <janskyj@gmail.com>, Balint Reczey <balint@balintreczey.hu>, Debian LTS <debian-lts@lists.debian.org>, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>, Mike Hommey <glandium@debian.org>, Florian Weimer <fw@deneb.enyo.de>, "J. R. Okajima" <hooanon05g@gmail.com>
- Subject: Re: Regression problem, call for advice Re: Call for advice and testing of nss (and nspr) and intention to upload correction
- From: Guido Günther <agx@sigxcpu.org>
- Date: Fri, 4 Nov 2016 13:36:14 +0100
- Message-id: <[🔎] 20161104123614.5r4vqkwasbq5mypa@bogon.m.sigxcpu.org>
- Mail-followup-to: Guido Günther <agx@sigxcpu.org>, Ola Lundqvist <ola@inguza.com>, Ben Hutchings <ben@decadent.org.uk>, Jiří Jánský <janskyj@gmail.com>, Balint Reczey <balint@balintreczey.hu>, Debian LTS <debian-lts@lists.debian.org>, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>, Mike Hommey <glandium@debian.org>, Florian Weimer <fw@deneb.enyo.de>, "J. R. Okajima" <hooanon05g@gmail.com>
- In-reply-to: <[🔎] CABY6=0mN1rpB8L6OFDFNHQk8eNX5tcMYBFpaQUFiTmmv1348dw@mail.gmail.com>
- References: <[🔎] CABY6=0nBSxgRXSjm0mY8DCReHE-nF7nbzB8Fbk5kJ5Vso1HsFw@mail.gmail.com> <[🔎] 1478042325.9077.22.camel@decadent.org.uk> <[🔎] CAPCqDyROUPLm+xhPJcFkhqMrNXt9SpwzgdzPzYi8FjuZTBBcvQ@mail.gmail.com> <[🔎] 1478146933.29107.3.camel@decadent.org.uk> <[🔎] CABY6=0mN1rpB8L6OFDFNHQk8eNX5tcMYBFpaQUFiTmmv1348dw@mail.gmail.com>
Hi Ola,
On Fri, Nov 04, 2016 at 01:17:36PM +0100, Ola Lundqvist wrote:
[..snip analysis..]
> As I can see it there are the following options:
> 1) Do nothing. Let it be like this. We have a regression problem but only
> for software that fork and use nss in several threads.
> 2) Try to reverse the library split. This is a non-trivial task.
> 3) Try to fix the dlopen problem. I have tried in many ways but always
> fail. If anyone have a really good idea about this, please let me know.
> 4) Reverse the whole nss update. I'm not 100% sure how to do that as we did
> a version update and it is hard to "downgrade". We can certainly fix the
> CVE that this update solved. It should not be too hard.
>
> What do you all think is the best option?
I would neither do 4 (it's good to have newer nspr/nss, see #824872) or
2 (would deviate us from stretch, jessie and upstream). Given we don't
find other regressions it'd go for 3 or 1.
Although chromium is unsupported there might be people using it to
access "trusted" hosts for things that dont work with Firefix (at least
VCenter comes to mind).
Did you check what upstream chromium did when they updated nss? Maybe we
can cherry-pick a simple fix from there? If not this just leaves us with 1.
Cheers,
-- Guido
Reply to: