TL;DR: The change originally planned for Fedora 27 will now be done for
Rawhide Fedora 28, probably tomorrow.
We had previously announced to change the NSS crypto library to use the
new sql file format by default. Please see the attached message for the
Because of blocker bugs, it wasn't done for Fedora 27. During the past
months the known bugs in NSS were fixed, and the Firefox/Mozilla code
was improved. I think now we're ready to make the change for Rawhide.
If I understand correctly, at the current time of the development phase
of Rawhide Fedora 28, it isn't necessary to go through a formal process
to make this change.
The new tracking bug is:
The following is noteworthy, when using NSS with the sql file format:
- Performance is slightly reduced. The old dbm storage didn't use any
locking mechanism, and therefore it was easy to get corrupted storage
when accessing the files in parallel by more than one application.
The new sqlite storage can safely be used by multiple applications
in parallel, but this has a performance cost.
- NSS databases (old and new) can be protected with a password.
Previously, some modification operations could be performed without
unlocking the database.
When using the new sql storage, NSS more strictly requires the
user to log in to (unlock) the database prior to performing
For example, when modifying the trust settings of a CA certificate
with certutil, it will be necessary to provide the database password.
- With sql databases, NSS is more strict with half-initialized
databases. In the early years of the Netscape/Mozilla era,
in order to support some application/browser level functionality,
it had been necessary to distinguish between
"half initialized state:
no password ever set on the database, not even an empty password"
"fully initialized state:
password set on the database, even if it's just the empty string".
We believe this state is no longer required,
certutil and modutil no longer create half-initialized databases.
Until recently, NSS databases created by Firefox/Thunderbird etc.
were still in this half-initialized state.
There might be other applications that did this.
When using a database in the half-initialized state, some
database operations could fail, with similar symptons as not having
logged in to the database, even after databases are (automatically)
migrated to the sql format (the half-initialized state is kept).
When experiencing such issues, it will be necessary to explicitly
set a password on the database, even if it's just the empty string.
In order to adjust for these properties, Firefox has been changed to
always initialize NSS databases with an empty password.
In addition, Firefox has been changed to prompt the user for the NSS
database password (Firefox calls it the master password) if necessary,
prior to e.g. trust database modificiations.
These recent changes will be contained in NSS 3.34, Firefox 58 and
Thunderbird 59, which aren't released yet.
In order to allow us testing the new sql database file format with
Fedora Rawhide as soon as possible, the changes have been backported to
the versions currently used in Rawhide: NSS 3.33, Firefox 57 beta,
Thunderbird 52.4. The packages were built yesterday.
If other applications based on Mozilla Gecko, e.g. like Iceowl or
Icecat, would like to avoid that users run into these potential
failures, they could pick up the same backported patches. Please look at
the commits for Firefox and Thunderbird to find them, or see the
dependency list of bug 1496560.
Please let us know if you experience problems. (Ideally, please file a
bug against the "nss" component and CC kengert@rh, hkario@rh,