On Mon, Nov 21, 2022 at 12:45 PM Demi Marie Obenour <demiobenour@xxxxxxxxx> wrote: > > On 11/21/22 09:23, Simo Sorce wrote: > > On Sun, 2022-11-20 at 19:24 -0500, Demi Marie Obenour wrote: > >> On 11/20/22 17:40, Simo Sorce wrote: > >>> On Sun, 2022-11-20 at 17:22 -0500, Demi Marie Obenour wrote: > >>>> On 11/20/22 07:24, Bojan Smojver via devel wrote: > >>>>> Now that nss 3.85 has been built, I thought I'd have a go at building > >>>>> FF 107.0, given that's been out for a few days and original builds > >>>>> failed in koji, because nss was too old at the time. > >>>> > >>>> Has switching to bundled NSS been considered? For browsers anything > >>>> that holds up an update is very, *very* bad. > >>> > >>> Casually handling crypto libraries is very, *very* worse. > >> > >> Has there ever been a case where Fedora’s NSS was not vulnerable to > >> something that the bundled NSS was vulnerable to? To be clear, I am > >> referring to the NSS shipped by Mozilla as a part of Firefox. > >> Another option would be to ensure that NSS is promptly updated. > > > > NSS is generally updated in order to release Firefox, I am not aware of > > a chronic issue here. > > > > We compile NSS differently than what Mozilla does, for example we use > > the Fedora OS trust anchors, and the Fedora Crypto-Policies, etc.. it > > is not just about vulnerabilities, system integration matters too. > > > > But we *have* released patches for security vulnerabilities in NSS w/o > > requiring also a full recompile and retesting of Firefox. > > In that case, can NSS be pushed out to stable immediately, along with > the new Firefox? Several days is too long a delay already. Unless people do karma brigades, that is not possible. There is no way to immediately push something to the stable updates channel. -- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
