On Sun, 2022-11-20 at 19:24 -0500, Demi Marie Obenour wrote:
On 11/20/22 17:40, Simo Sorce wrote:
> On Sun, 2022-11-20 at 17:22 -0500, Demi Marie Obenour wrote:
> > On 11/20/22 07:24, Bojan Smojver via devel wrote:
> > > Now that nss 3.85 has been built, I thought I'd have a go at building
> > > FF 107.0, given that's been out for a few days and original builds
> > > failed in koji, because nss was too old at the time.
> >
> > Has switching to bundled NSS been considered? For browsers anything
> > that holds up an update is very, *very* bad.
>
> Casually handling crypto libraries is very, *very* worse.
Has there ever been a case where Fedora’s NSS was not vulnerable to
something that the bundled NSS was vulnerable to? To be clear, I am
referring to the NSS shipped by Mozilla as a part of Firefox.
Another option would be to ensure that NSS is promptly updated.
NSS is generally updated in order to release Firefox, I am not aware of
a chronic issue here.
We compile NSS differently than what Mozilla does, for example we use
the Fedora OS trust anchors, and the Fedora Crypto-Policies, etc.. it
is not just about vulnerabilities, system integration matters too.
But we *have* released patches for security vulnerabilities in NSS w/o
requiring also a full recompile and retesting of Firefox.
Simo.
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc