On Tue, Nov 22, 2022 at 6:48 AM Vít Ondruch <vondruch@xxxxxxxxxx> wrote: > > > Dne 21. 11. 22 v 18:56 Adam Williamson napsal(a): > > On Mon, 2022-11-21 at 12:43 -0500, Demi Marie Obenour wrote: > >> On 11/21/22 09:23, Simo Sorce wrote: > >>> On Sun, 2022-11-20 at 19:24 -0500, Demi Marie Obenour wrote: > >>>> On 11/20/22 17:40, Simo Sorce wrote: > >>>>> On Sun, 2022-11-20 at 17:22 -0500, Demi Marie Obenour wrote: > >>>>>> On 11/20/22 07:24, Bojan Smojver via devel wrote: > >>>>>>> Now that nss 3.85 has been built, I thought I'd have a go at building > >>>>>>> FF 107.0, given that's been out for a few days and original builds > >>>>>>> failed in koji, because nss was too old at the time. > >>>>>> Has switching to bundled NSS been considered? For browsers anything > >>>>>> that holds up an update is very, *very* bad. > >>>>> Casually handling crypto libraries is very, *very* worse. > >>>> Has there ever been a case where Fedora’s NSS was not vulnerable to > >>>> something that the bundled NSS was vulnerable to? To be clear, I am > >>>> referring to the NSS shipped by Mozilla as a part of Firefox. > >>>> Another option would be to ensure that NSS is promptly updated. > >>> NSS is generally updated in order to release Firefox, I am not aware of > >>> a chronic issue here. > >>> > >>> We compile NSS differently than what Mozilla does, for example we use > >>> the Fedora OS trust anchors, and the Fedora Crypto-Policies, etc.. it > >>> is not just about vulnerabilities, system integration matters too. > >>> > >>> But we *have* released patches for security vulnerabilities in NSS w/o > >>> requiring also a full recompile and retesting of Firefox. > >> In that case, can NSS be pushed out to stable immediately, along with > >> the new Firefox? Several days is too long a delay already. > > One factor that sometimes holds things up is that the involved > > maintainers never bundle updates properly. When there is a new Firefox > > build and a new nss build that should go together, these should be > > bundled in a single update, but they almost never are. This sometimes > > causes the openQA tests to fail (if there's a hard version dependency > > involved), which causes one or other update to be gated. If they were > > properly bundled, this would not happen. > > > > I have been leaving comments on Firefox updates for years asking for > > this to be addressed, but it never happens. Most recent example: > > https://bodhi.fedoraproject.org/updates/FEDORA-2022-1f8312716f > > > > It does seem like there is a weirdly low level of co-operation between > > nss and firefox maintainers, given that firefox is by a long way the > > most significant and intertwined user of nss. It feels like there is > > scope for improvement there. > > > Would it be possible to develop a way to better manage updates of some > interconnected packages? FF + NSS would be one case, but when we are > doing Ruby on Rails update, it always involve more packages. Or probably > gcc + annobin are pair of packages which needs to always go together > (unless I am mistaken). > > E.g. the build of NSS would automatically triggered side creation and > waited for updated FF. > *mumbles about automatic rebuild + submit updates of reverse dependencies again* "If only, if only," the woodpecker cries... -- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
