Hi Ola, On Fri, Nov 04, 2016 at 01:17:36PM +0100, Ola Lundqvist wrote: [..snip analysis..] > As I can see it there are the following options: > 1) Do nothing. Let it be like this. We have a regression problem but only > for software that fork and use nss in several threads. > 2) Try to reverse the library split. This is a non-trivial task. > 3) Try to fix the dlopen problem. I have tried in many ways but always > fail. If anyone have a really good idea about this, please let me know. > 4) Reverse the whole nss update. I'm not 100% sure how to do that as we did > a version update and it is hard to "downgrade". We can certainly fix the > CVE that this update solved. It should not be too hard. > > What do you all think is the best option?
I would neither do 4 (it's good to have newer nspr/nss, see #824872) or 2 (would deviate us from stretch, jessie and upstream). Given we don't find other regressions it'd go for 3 or 1. Although chromium is unsupported there might be people using it to access "trusted" hosts for things that dont work with Firefix (at least VCenter comes to mind). Did you check what upstream chromium did when they updated nss? Maybe we can cherry-pick a simple fix from there? If not this just leaves us with 1. Cheers, -- Guido
