On pe, 20 tammi 2017, Kai Engert wrote:
Hello,
we are currently dealing with a tricky situation, that the NSS and Mozilla
package maintainers have been discussing, and I'd like to publish our plan.
The most recent NSS update, version 3.28.1, is required to ship to the Firefox
51 update planned for January 24.
Unfortunately, NSS 3.28.1 is incompatible with Mozilla applications version 50
and older.
If Mozilla 50 or older is used together with NSS 3.28 or newer, and the
application attempts to use HTTP v2, the connections to some servers may fail
(including connections to Google servers).
The fix is simple, it's possible to apply a small patch to the older Mozilla
applications, to make it compatible with NSS 3.28.1
The difficulty here is the timing, and it's a conflict between "don't break
applications in Fedora" and "ship new Firefox security update as soon as
possible".
If we start by shipping NSS 3.28.1 first, without yet having fixed the Mozilla
applications, then we allow Firefox 51 to be shipped, but we risk that the other
applications aren't fixed in time, and that users might see regressions, caused
by the upgrade to NSS 3.28.1
Alternatively, if we wait until all affected Mozilla packages have been updated
to fixed versions, it might delay the January 24 Firefox 51 update.
After discussing this, we have a preference to avoid the breakage in Fedora, and
try to ship all required updates as soon as possible.
In order to avoid the breakage, we want to add "Conflicts:" statements to the
NSS 3.28.1 package, that makes it conflict with all known Mozilla packages that
don't contain the required fix yet.
The packages we have identified are:
- firefox
- thunderbird
- seamonkey
- xulrunner
- icecat
I see that for all the above packages, build attempts that include the fix are
already ongoing in koji, so there's hope that we might be able to resolve the
situation in time.
FreeIPA is broken when trying to install with nss 3.28.1. We reliably
reproduce this issue with
https://bodhi.fedoraproject.org/updates/FEDORA-2017-e42b513012
It seems that new nss also breaks 389-ds LDAP server's selection of
available ciphers. As result, ldapsearch does not work against the
389-ds LDAP server configured as part of FreeIPA deployment.
However, if ANY of the above build cannot be completed soon, or, if ANY of the
updates cannot move to the stable Fedora updates, it can block users from
upgrading to the Firefox 51 update on Jan 24.
Is that acceptable?
I think failing server applications is unacceptable.
Do you agree that we make NSS conflict with any known incompatible packages
mentioned above, and thereby may inhibit a subset of Fedora users from upgrading
to Firefox 51 immediately?
If we can get all the above builds done quickly, and all of them pushed to
Fedora stable updates quickly, we're good.
Note that we have the remaining risk that we haven't identified all Mozilla
packages that might be affected. The relevant code isn't in NSS, but in
Mozilla's network code. That means, if the above list of packages isn't the
complete set of affected Mozilla based applications, other packages might still
experience the connectivity regression. But as soon as another package is
identified, it can rebuild to pick up the mentioned fix.
Thanks
Kai
PS:
Tracking bug is here:
https://bugzilla.redhat.com/show_bug.cgi?id=1381400
(Don't get confused with the separate, unrelated discussion on TLS 1.3)
An example of the regression is here:
https://bugzilla.redhat.com/show_bug.cgi?id=1414929
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
--
/ Alexander Bokovoy
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
