nss update for jessie
Florian Weimer
fw at deneb.enyo.de
Sun Oct 2 06:39:03 UTC 2016
* Mike Hommey:
> On Sat, Oct 01, 2016 at 09:20:49PM +0200, Florian Weimer wrote:
>> Hi Mike and all,
>>
>> I'm looking at the possibility of a nss security update for jessie.
>>
>> Do you suggest to rebase the package to a later upstream maintenance
>> release, or to backport individual patches?
>
> The former is more tractable, although you'd get in the issue of
> possibly changed defaults.
But sometimes, the security fix is in the changed defaults.
I know that historically, NSS relied on application updates to
implement changing cipher preferences (in the sense that “if your
application negotiated this cipher suite in 1998, you certainly want
it to pick the same suite today”). But this means that all
applications need to be patched for cipher deprecations and
introduction of new ciphers (such as ECC). I don't think this matches
current user expectations.
I saw the most recent upstream release compiles in necessarily
incomplete TLS 1.3 support. *This* is not something what we want, and
I wonder what other traps are in the code base.
More information about the pkg-mozilla-maintainers
mailing list