On Tue, 2020-12-15 at 17:59 -0500, Steven A. Falco wrote: > On 12/15/20 5:09 PM, Adam Williamson wrote: > > On Tue, 2020-12-15 at 22:38 +0100, Alexander Ploumistos wrote: > > > On Tue, Dec 15, 2020 at 9:04 PM Alexander Ploumistos > > > <alex.ploumistos@xxxxxxxxx> wrote: > > > > > > > > On Tue, Dec 15, 2020 at 8:17 PM Kevin Fenzi <kevin@xxxxxxxxx> wrote: > > > > > > > > > > If you upgrade in f33 or rawhide to nss 3.59, all your firefox add-ons > > > > > will stop working. Worse they will appear corrupted, so you will have to > > > > > remove them and re-install them (after downgrading nss). > > > > > > > > I'm running firefox 83.0-13.fc33.x86_64 with nss 3.59.0-2.fc33 > > > > installed since it hit my local updates-testing mirror and all my > > > > add-ons are looking good. > > > > > > So, I spoke too soon. I just got notified that one of my add-ons is > > > misbehaving and it has been disabled. I'm still on the same session I > > > was when I sent the previous message, nothing was installed or updated > > > in the meantime. Is this bug time-based or something? > > > > You didn't answer the question whether you had restarted Firefox since > > installing the new nss. > > > > Either way, probably Firefox is doing a periodic check of installed > > add-ons and that fails whenever it happens now. The issue is they're > > signed with SHA-1 certs, but nss is now not accepting SHA-1 per the > > current system-wide policy. > > Since there is no great way for end-users to motivate the various add-on creators to update their certs, this sounds like a serious problem. > > For now I've put an exclude in my dnf.conf to prevent any nss upgrades, but that is also not a great solution, for obvious reasons. Perhaps there will have to be a way for end-users to override the check for critical add-ons. Hopefully the add-on creators will eventually switch certs, but that could take a very long time. To be clear, the update is not stable for F33 and should not go stable. It's only in updates-testing. I wrote in the update that in my opinion the solution for this bug can't involve expecting add-ons to suddenly get re-signed en masse, or users to change their local configuration. It needs to keep working as it did before. If the policy is ahead of the real world, the policy needs to be loosened. -- Adam Williamson Fedora QA IRC: adamw | Twitter: adamw_ha https://www.happyassassin.net _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
