On Fri, Jan 20, 2017 at 9:52 AM, Kai Engert <kaie@xxxxxxx> wrote: > Hello, > > we are currently dealing with a tricky situation, that the NSS and Mozilla > package maintainers have been discussing, and I'd like to publish our plan. > > The most recent NSS update, version 3.28.1, is required to ship to the Firefox > 51 update planned for January 24. > > Unfortunately, NSS 3.28.1 is incompatible with Mozilla applications version 50 > and older. > > If Mozilla 50 or older is used together with NSS 3.28 or newer, and the > application attempts to use HTTP v2, the connections to some servers may fail > (including connections to Google servers). > > The fix is simple, it's possible to apply a small patch to the older Mozilla > applications, to make it compatible with NSS 3.28.1 > > The difficulty here is the timing, and it's a conflict between "don't break > applications in Fedora" and "ship new Firefox security update as soon as > possible". > > If we start by shipping NSS 3.28.1 first, without yet having fixed the Mozilla > applications, then we allow Firefox 51 to be shipped, but we risk that the other > applications aren't fixed in time, and that users might see regressions, caused > by the upgrade to NSS 3.28.1 > > Alternatively, if we wait until all affected Mozilla packages have been updated > to fixed versions, it might delay the January 24 Firefox 51 update. > > After discussing this, we have a preference to avoid the breakage in Fedora, and > try to ship all required updates as soon as possible. > > In order to avoid the breakage, we want to add "Conflicts:" statements to the > NSS 3.28.1 package, that makes it conflict with all known Mozilla packages that > don't contain the required fix yet. > > The packages we have identified are: > - firefox > - thunderbird > - seamonkey > - xulrunner > - icecat > > I see that for all the above packages, build attempts that include the fix are > already ongoing in koji, so there's hope that we might be able to resolve the > situation in time. > > However, if ANY of the above build cannot be completed soon, or, if ANY of the > updates cannot move to the stable Fedora updates, it can block users from > upgrading to the Firefox 51 update on Jan 24. > > Is that acceptable? > > Do you agree that we make NSS conflict with any known incompatible packages > mentioned above, and thereby may inhibit a subset of Fedora users from upgrading > to Firefox 51 immediately? > > If we can get all the above builds done quickly, and all of them pushed to > Fedora stable updates quickly, we're good. > > > Note that we have the remaining risk that we haven't identified all Mozilla > packages that might be affected. The relevant code isn't in NSS, but in > Mozilla's network code. That means, if the above list of packages isn't the > complete set of affected Mozilla based applications, other packages might still > experience the connectivity regression. But as soon as another package is > identified, it can rebuild to pick up the mentioned fix. Is bundling the newer NSS release inside of firefox itself an option? While it may not be the best long-term solution and we all know the downsides of bundling, it is at least pragmatic in the short-term. That would allow firefox to ship and time for the remaining packages to be updated. Once they're ready, the bundling in firefox could be dropped and an update with all the packages could be done. josh _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx