Dne 21. 11. 22 v 18:56 Adam Williamson napsal(a):
> On Mon, 2022-11-21 at 12:43 -0500, Demi Marie Obenour wrote:
>> On 11/21/22 09:23, Simo Sorce wrote:
>>> On Sun, 2022-11-20 at 19:24 -0500, Demi Marie Obenour wrote:
>>>> On 11/20/22 17:40, Simo Sorce wrote:
>>>>> On Sun, 2022-11-20 at 17:22 -0500, Demi Marie Obenour wrote:
>>>>>> On 11/20/22 07:24, Bojan Smojver via devel wrote:
>>>>>>> Now that nss 3.85 has been built, I thought I'd have a
go at building
>>>>>>> FF 107.0, given that's been out for a few days and
original builds
>>>>>>> failed in koji, because nss was too old at the time.
>>>>>> Has switching to bundled NSS been considered? For browsers
anything
>>>>>> that holds up an update is very, *very* bad.
>>>>> Casually handling crypto libraries is very, *very* worse.
>>>> Has there ever been a case where Fedora’s NSS was not vulnerable to
>>>> something that the bundled NSS was vulnerable to? To be clear, I am
>>>> referring to the NSS shipped by Mozilla as a part of Firefox.
>>>> Another option would be to ensure that NSS is promptly updated.
>>> NSS is generally updated in order to release Firefox, I am not aware of
>>> a chronic issue here.
>>>
>>> We compile NSS differently than what Mozilla does, for example we use
>>> the Fedora OS trust anchors, and the Fedora Crypto-Policies, etc.. it
>>> is not just about vulnerabilities, system integration matters too.
>>>
>>> But we *have* released patches for security vulnerabilities in NSS w/o
>>> requiring also a full recompile and retesting of Firefox.
>> In that case, can NSS be pushed out to stable immediately, along with
>> the new Firefox? Several days is too long a delay already.
> One factor that sometimes holds things up is that the involved
> maintainers never bundle updates properly. When there is a new Firefox
> build and a new nss build that should go together, these should be
> bundled in a single update, but they almost never are. This sometimes
> causes the openQA tests to fail (if there's a hard version dependency
> involved), which causes one or other update to be gated. If they were
> properly bundled, this would not happen.
>
> I have been leaving comments on Firefox updates for years asking for
> this to be addressed, but it never happens. Most recent example:
>
https://bodhi.fedoraproject.org/updates/FEDORA-2022-1f8312716f
>
> It does seem like there is a weirdly low level of co-operation between
> nss and firefox maintainers, given that firefox is by a long way the
> most significant and intertwined user of nss. It feels like there is
> scope for improvement there.
Would it be possible to develop a way to better manage updates of some
interconnected packages? FF + NSS would be one case, but when we are
doing Ruby on Rails update, it always involve more packages. Or probably
gcc + annobin are pair of packages which needs to always go together
(unless I am mistaken).
E.g. the build of NSS would automatically triggered side creation and
waited for updated FF.
*mumbles about automatic rebuild + submit updates of reverse dependencies again*
"If only, if only," the woodpecker cries...
--
真実はいつも一つ!/ Always, there's only one truth!