Dne 21. 11. 22 v 18:56 Adam Williamson napsal(a):
On Mon, 2022-11-21 at 12:43 -0500, Demi Marie Obenour wrote:On 11/21/22 09:23, Simo Sorce wrote:On Sun, 2022-11-20 at 19:24 -0500, Demi Marie Obenour wrote:On 11/20/22 17:40, Simo Sorce wrote:On Sun, 2022-11-20 at 17:22 -0500, Demi Marie Obenour wrote:On 11/20/22 07:24, Bojan Smojver via devel wrote:Now that nss 3.85 has been built, I thought I'd have a go at building FF 107.0, given that's been out for a few days and original builds failed in koji, because nss was too old at the time.Has switching to bundled NSS been considered? For browsers anything that holds up an update is very, *very* bad.Casually handling crypto libraries is very, *very* worse.Has there ever been a case where Fedora’s NSS was not vulnerable to something that the bundled NSS was vulnerable to? To be clear, I am referring to the NSS shipped by Mozilla as a part of Firefox. Another option would be to ensure that NSS is promptly updated.NSS is generally updated in order to release Firefox, I am not aware of a chronic issue here. We compile NSS differently than what Mozilla does, for example we use the Fedora OS trust anchors, and the Fedora Crypto-Policies, etc.. it is not just about vulnerabilities, system integration matters too. But we *have* released patches for security vulnerabilities in NSS w/o requiring also a full recompile and retesting of Firefox.In that case, can NSS be pushed out to stable immediately, along with the new Firefox? Several days is too long a delay already.One factor that sometimes holds things up is that the involved maintainers never bundle updates properly. When there is a new Firefox build and a new nss build that should go together, these should be bundled in a single update, but they almost never are. This sometimes causes the openQA tests to fail (if there's a hard version dependency involved), which causes one or other update to be gated. If they were properly bundled, this would not happen. I have been leaving comments on Firefox updates for years asking for this to be addressed, but it never happens. Most recent example: https://bodhi.fedoraproject.org/updates/FEDORA-2022-1f8312716f It does seem like there is a weirdly low level of co-operation between nss and firefox maintainers, given that firefox is by a long way the most significant and intertwined user of nss. It feels like there is scope for improvement there.
Would it be possible to develop a way to better manage updates of some interconnected packages? FF + NSS would be one case, but when we are doing Ruby on Rails update, it always involve more packages. Or probably gcc + annobin are pair of packages which needs to always go together (unless I am mistaken).
E.g. the build of NSS would automatically triggered side creation and waited for updated FF.
Vít
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
