On pe, 20 tammi 2017, Kai Engert wrote:
Hello, we are currently dealing with a tricky situation, that the NSS and Mozilla package maintainers have been discussing, and I'd like to publish our plan. The most recent NSS update, version 3.28.1, is required to ship to the Firefox 51 update planned for January 24. Unfortunately, NSS 3.28.1 is incompatible with Mozilla applications version 50 and older. If Mozilla 50 or older is used together with NSS 3.28 or newer, and the application attempts to use HTTP v2, the connections to some servers may fail (including connections to Google servers). The fix is simple, it's possible to apply a small patch to the older Mozilla applications, to make it compatible with NSS 3.28.1 The difficulty here is the timing, and it's a conflict between "don't break applications in Fedora" and "ship new Firefox security update as soon as possible". If we start by shipping NSS 3.28.1 first, without yet having fixed the Mozilla applications, then we allow Firefox 51 to be shipped, but we risk that the other applications aren't fixed in time, and that users might see regressions, caused by the upgrade to NSS 3.28.1 Alternatively, if we wait until all affected Mozilla packages have been updated to fixed versions, it might delay the January 24 Firefox 51 update. After discussing this, we have a preference to avoid the breakage in Fedora, and try to ship all required updates as soon as possible. In order to avoid the breakage, we want to add "Conflicts:" statements to the NSS 3.28.1 package, that makes it conflict with all known Mozilla packages that don't contain the required fix yet. The packages we have identified are: - firefox - thunderbird - seamonkey - xulrunner - icecat I see that for all the above packages, build attempts that include the fix are already ongoing in koji, so there's hope that we might be able to resolve the situation in time.
FreeIPA is broken when trying to install with nss 3.28.1. We reliably reproduce this issue with https://bodhi.fedoraproject.org/updates/FEDORA-2017-e42b513012 It seems that new nss also breaks 389-ds LDAP server's selection of available ciphers. As result, ldapsearch does not work against the 389-ds LDAP server configured as part of FreeIPA deployment.
However, if ANY of the above build cannot be completed soon, or, if ANY of the updates cannot move to the stable Fedora updates, it can block users from upgrading to the Firefox 51 update on Jan 24. Is that acceptable?
I think failing server applications is unacceptable.
Do you agree that we make NSS conflict with any known incompatible packages mentioned above, and thereby may inhibit a subset of Fedora users from upgrading to Firefox 51 immediately? If we can get all the above builds done quickly, and all of them pushed to Fedora stable updates quickly, we're good. Note that we have the remaining risk that we haven't identified all Mozilla packages that might be affected. The relevant code isn't in NSS, but in Mozilla's network code. That means, if the above list of packages isn't the complete set of affected Mozilla based applications, other packages might still experience the connectivity regression. But as soon as another package is identified, it can rebuild to pick up the mentioned fix. Thanks Kai PS: Tracking bug is here: https://bugzilla.redhat.com/show_bug.cgi?id=1381400 (Don't get confused with the separate, unrelated discussion on TLS 1.3) An example of the regression is here: https://bugzilla.redhat.com/show_bug.cgi?id=1414929 _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
-- / Alexander Bokovoy _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx