Re: FF 107.0 scratch builds - just for fun

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2022-11-21 at 12:43 -0500, Demi Marie Obenour wrote:
> On 11/21/22 09:23, Simo Sorce wrote:
> > On Sun, 2022-11-20 at 19:24 -0500, Demi Marie Obenour wrote:
> > > On 11/20/22 17:40, Simo Sorce wrote:
> > > > On Sun, 2022-11-20 at 17:22 -0500, Demi Marie Obenour wrote:
> > > > > On 11/20/22 07:24, Bojan Smojver via devel wrote:
> > > > > > Now that nss 3.85 has been built, I thought I'd have a go at building
> > > > > > FF 107.0, given that's been out for a few days and original builds
> > > > > > failed in koji, because nss was too old at the time.
> > > > > 
> > > > > Has switching to bundled NSS been considered?  For browsers anything
> > > > > that holds up an update is very, *very* bad.
> > > > 
> > > > Casually handling crypto libraries is very, *very* worse.
> > > 
> > > Has there ever been a case where Fedora’s NSS was not vulnerable to
> > > something that the bundled NSS was vulnerable to?  To be clear, I am
> > > referring to the NSS shipped by Mozilla as a part of Firefox.
> > > Another option would be to ensure that NSS is promptly updated.
> > 
> > NSS is generally updated in order to release Firefox, I am not aware of
> > a chronic issue here.
> > 
> > We compile NSS differently than what Mozilla does, for example we use
> > the Fedora OS trust anchors, and the Fedora Crypto-Policies, etc.. it
> > is not just about vulnerabilities, system integration matters too.
> > 
> > But we *have* released patches for security vulnerabilities in NSS w/o
> > requiring also a full recompile and retesting of Firefox.
> 
> In that case, can NSS be pushed out to stable immediately, along with
> the new Firefox?  Several days is too long a delay already.

One factor that sometimes holds things up is that the involved
maintainers never bundle updates properly. When there is a new Firefox
build and a new nss build that should go together, these should be
bundled in a single update, but they almost never are. This sometimes
causes the openQA tests to fail (if there's a hard version dependency
involved), which causes one or other update to be gated. If they were
properly bundled, this would not happen.

I have been leaving comments on Firefox updates for years asking for
this to be addressed, but it never happens. Most recent example:
https://bodhi.fedoraproject.org/updates/FEDORA-2022-1f8312716f

It does seem like there is a weirdly low level of co-operation between
nss and firefox maintainers, given that firefox is by a long way the
most significant and intertwined user of nss. It feels like there is
scope for improvement there.
-- 
Adam Williamson
Fedora QA
IRC: adamw | Twitter: adamw_ha
https://www.happyassassin.net

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux