On 01/20/2017 04:13 PM, Josh Boyer wrote:
On Fri, Jan 20, 2017 at 9:52 AM, Kai Engert <kaie@xxxxxxx> wrote:
Hello,
we are currently dealing with a tricky situation, that the NSS and Mozilla
package maintainers have been discussing, and I'd like to publish our plan.
The most recent NSS update, version 3.28.1, is required to ship to the Firefox
51 update planned for January 24.
Unfortunately, NSS 3.28.1 is incompatible with Mozilla applications version 50
and older.
If Mozilla 50 or older is used together with NSS 3.28 or newer, and the
application attempts to use HTTP v2, the connections to some servers may fail
(including connections to Google servers).
The fix is simple, it's possible to apply a small patch to the older Mozilla
applications, to make it compatible with NSS 3.28.1
The difficulty here is the timing, and it's a conflict between "don't break
applications in Fedora" and "ship new Firefox security update as soon as
possible".
If we start by shipping NSS 3.28.1 first, without yet having fixed the Mozilla
applications, then we allow Firefox 51 to be shipped, but we risk that the other
applications aren't fixed in time, and that users might see regressions, caused
by the upgrade to NSS 3.28.1
Alternatively, if we wait until all affected Mozilla packages have been updated
to fixed versions, it might delay the January 24 Firefox 51 update.
After discussing this, we have a preference to avoid the breakage in Fedora, and
try to ship all required updates as soon as possible.
In order to avoid the breakage, we want to add "Conflicts:" statements to the
NSS 3.28.1 package, that makes it conflict with all known Mozilla packages that
don't contain the required fix yet.
The packages we have identified are:
- firefox
- thunderbird
- seamonkey
- xulrunner
- icecat
I see that for all the above packages, build attempts that include the fix are
already ongoing in koji, so there's hope that we might be able to resolve the
situation in time.
However, if ANY of the above build cannot be completed soon, or, if ANY of the
updates cannot move to the stable Fedora updates, it can block users from
upgrading to the Firefox 51 update on Jan 24.
Is that acceptable?
Do you agree that we make NSS conflict with any known incompatible packages
mentioned above, and thereby may inhibit a subset of Fedora users from upgrading
to Firefox 51 immediately?
If we can get all the above builds done quickly, and all of them pushed to
Fedora stable updates quickly, we're good.
Note that we have the remaining risk that we haven't identified all Mozilla
packages that might be affected. The relevant code isn't in NSS, but in
Mozilla's network code. That means, if the above list of packages isn't the
complete set of affected Mozilla based applications, other packages might still
experience the connectivity regression. But as soon as another package is
identified, it can rebuild to pick up the mentioned fix.
Is bundling the newer NSS release inside of firefox itself an option?
While it may not be the best long-term solution and we all know the
downsides of bundling, it is at least pragmatic in the short-term.
That would allow firefox to ship and time for the remaining packages
to be updated. Once they're ready, the bundling in firefox could be
dropped and an update with all the packages could be done.
All builds are ready except TB on arm. I'm sure we make that in time.
Martin
josh
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx