Hi all I have now been able to run the tests and also the abi version checker. I think it looks good.
I could not verify FIPS 140-1 tests due to some device error (I'm running in a chroot so I guess that is the problem) but everything else is working. The ABI reports are available here: nspr: http://apt.inguza.net/wheezy-security/nspr/compat_report.html nss: http://apt.inguza.net/wheezy-security/nss/compat_report.html If I do not hear any further objections I'll upload this on early next week Best regards // Ola On 21 October 2016 at 23:40, Guido Günther <a...@sigxcpu.org> wrote: > On Fri, Oct 21, 2016 at 11:16:54PM +0200, Ola Lundqvist wrote: > > Hi Guido > > > > Thanks a lot for the information. I'll enable this and will also run > > abi-compliance check tool. > > Is it this [1] one you have used? > > > > [1] https://lvc.github.io/abi-compliance-checker/ > > IIRC I've used the abi-compliance-checker Debian package. > Cheers, > -- Guido > > > > > Best regards > > > > // Ola > > > > On 20 October 2016 at 23:48, Guido Günther <a...@sigxcpu.org> wrote: > > > > > Hi Ola, > > > On Thu, Oct 20, 2016 at 11:15:29PM +0200, Ola Lundqvist wrote: > > > > Hi LTS team, Mozilla maintainers, Mike and Florian > > > > > > > > I have been working on the security problem reported in nss (and > nspr). > > > > https://security-tracker.debian.org/tracker/TEMP-0000000-583651 > > > > It is about unprotected environment variables. > > > > > > > > I did a check on what Florian Weimer had done for jessie-security and > > > > the solution there was simply to package the new upstream release. So > > > > I decided to do that approach as well. The advantage with this is > that > > > > we will not only have this problem solved, but also a few more. > > > > > > > > TEMP-0000000-583651 (nspr and nss) > > > > CVE-2014-3566 > > > > CVE-2014-1490 > > > > CVE-2013-1740 > > > > > > > > The disadvantage is that we are not playing safe. However it looks > > > > backwards compatible, but you never know. > > > > > > > > So all in all I have produced the following: > > > > > > > > nspr: > > > > http://apt.inguza.net/wheezy-security/nspr > > > > This is essentially a mimic of the jessie-security package changes. > > > > > > > > nss: > > > > http://apt.inguza.net/wheezy-security/nss > > > > This is essentially a re-build of the jessie-security package with > > > > changes file kept and only updated with one new entry. > > > > > > > > Call for advice: > > > > 1) Do you have an opinion about the fact that I backport new upstream > > > release? > > > > > > See my discussion with the release team abot this: > > > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=824872 > > > > > > > 2) Will we have a build problem as nss depends on the latest nspr? I > > > > guess I shall upload nspr first. > > > > > > See my runs of the abi compliance checker in the above URL. > > > > > > > 3) Shall I create one DLA covering both packages or shall I just > > > > produce one DLA covering both nspr and nss? > > > > > > The rule is one DLA per package AFAIK. > > > > > > > I think one DLA is the best as both are needed to solve the problem > > > > reported. But maybe that is against some practice. If you think I > > > > shall write two, then please advice me what to write in the DLA for > > > > nspr. > > > > > > > > Call for testing: > > > > 4) As this package can have a rather big impact on lot of other > > > > packages it would be good if all of you install the new version (nss > > > > is the important one) to see if it works for you. > > > > > > See > > > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806207 > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806639 > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809723 > > > > > > that enable the internal test suites and add some autopkgtests. This > > > should help to gain some confidence. > > > Cheers, > > > -- Guido > > > > > > > > > > > I did not produce a debdiff as that diff was way too large to be > useful. > > > > > > > > I have installed it myself but I have not been able to verify that > the > > > > tools using it is really working. Most are GUI tools and I do not > have > > > > a GUI environment to test wheezy in. The libnss3-tools package seems > > > > to work fine to the limit I was able to check. > > > > > > > > I have not tried to reproduce the problem as the report was too vague > > > > to give any good advice on what environment variable that could > > > > actually cause a problem. > > > > > > > > If I do not hear any objections in four days I will upload anyway. > > > > > > > > Thanks in advance > > > > > > > > // Ola > > > > > > > > -- > > > > --- Inguza Technology AB --- MSc in Information Technology ---- > > > > | o...@inguza.com Folkebogatan 26 > > > > | o...@debian.org 654 68 KARLSTAD > > > > | http://inguza.com/ Mobile: +46 (0)70-332 1551 > > > > | gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 > > > > > > > > > > > > > > > -- > > --- Inguza Technology AB --- MSc in Information Technology ---- > > / o...@inguza.com Folkebogatan 26 \ > > | o...@debian.org 654 68 KARLSTAD | > > | http://inguza.com/ Mobile: +46 (0)70-332 1551 | > > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / > > --------------------------------------------------------------- > -- --- Inguza Technology AB --- MSc in Information Technology ---- / o...@inguza.com Folkebogatan 26 \ | o...@debian.org 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------