nss update for jessie
Florian Weimer
fw at deneb.enyo.de
Sun Oct 2 08:22:34 UTC 2016
* Mike Hommey:
> On Sun, Oct 02, 2016 at 08:39:03AM +0200, Florian Weimer wrote:
>> * Mike Hommey:
>>
>> > On Sat, Oct 01, 2016 at 09:20:49PM +0200, Florian Weimer wrote:
>> >> Hi Mike and all,
>> >>
>> >> I'm looking at the possibility of a nss security update for jessie.
>> >>
>> >> Do you suggest to rebase the package to a later upstream maintenance
>> >> release, or to backport individual patches?
>> >
>> > The former is more tractable, although you'd get in the issue of
>> > possibly changed defaults.
>>
>> But sometimes, the security fix is in the changed defaults.
>>
>> I know that historically, NSS relied on application updates to
>> implement changing cipher preferences (in the sense that “if your
>> application negotiated this cipher suite in 1998, you certainly want
>> it to pick the same suite today”). But this means that all
>> applications need to be patched for cipher deprecations and
>> introduction of new ciphers (such as ECC). I don't think this matches
>> current user expectations.
>>
>> I saw the most recent upstream release compiles in necessarily
>> incomplete TLS 1.3 support. *This* is not something what we want, and
>> I wonder what other traps are in the code base.
>
> Note there's likely going to be another upstream release to fix that
> particular issue. Also note that that particular problematic upstream
> release is not in Debian yet.
Right, and it does not seem contain security fixes we need.
If I want to move forward with the rebase, would you recommend to
start with the version in sid and roll back packaging changes we do
not want, or go the opposite direction, upgrading the jessie version
to the 3.26 and pick up only minimum required changes (mostly related
to symbol versioning, it seems)?
More information about the pkg-mozilla-maintainers
mailing list