On 11/21/22 09:23, Simo Sorce wrote:
On Sun, 2022-11-20 at 19:24 -0500, Demi Marie Obenour wrote:
> On 11/20/22 17:40, Simo Sorce wrote:
>> On Sun, 2022-11-20 at 17:22 -0500, Demi Marie Obenour wrote:
>>> On 11/20/22 07:24, Bojan Smojver via devel wrote:
>>>> Now that nss 3.85 has been built, I thought I'd have a go at
building
>>>> FF 107.0, given that's been out for a few days and original builds
>>>> failed in koji, because nss was too old at the time.
>>>
>>> Has switching to bundled NSS been considered? For browsers anything
>>> that holds up an update is very, *very* bad.
>>
>> Casually handling crypto libraries is very, *very* worse.
>
> Has there ever been a case where Fedora’s NSS was not vulnerable to
> something that the bundled NSS was vulnerable to? To be clear, I am
> referring to the NSS shipped by Mozilla as a part of Firefox.
> Another option would be to ensure that NSS is promptly updated.
NSS is generally updated in order to release Firefox, I am not aware of
a chronic issue here.
We compile NSS differently than what Mozilla does, for example we use
the Fedora OS trust anchors, and the Fedora Crypto-Policies, etc.. it
is not just about vulnerabilities, system integration matters too.
But we *have* released patches for security vulnerabilities in NSS w/o
requiring also a full recompile and retesting of Firefox.
In that case, can NSS be pushed out to stable immediately, along with
the new Firefox? Several days is too long a delay already.
--
Sincerely,
Demi Marie Obenour (she/her/hers)