Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nss: 3.57 -> 3.59 #100765

Closed
wants to merge 1 commit into from
Closed

nss: 3.57 -> 3.59 #100765

wants to merge 1 commit into from

Conversation

@ajs124
Copy link
Member

@ajs124 ajs124 commented Oct 16, 2020

Motivation for this change

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.58_release_notes

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
@vcunat
Copy link
Member

@vcunat vcunat commented Oct 17, 2020

Bug 1641480 (CVE-2020-25648) - Tighten CCS handling when the client doesn't indicate middlebox compatibility mode.

@vcunat
Copy link
Member

@vcunat vcunat commented Oct 17, 2020

But current FF won't compile against it (for me, tried atop nixpkgs master):

/build/firefox-81.0.2/security/ct/CTLogVerifier.cpp:41:10: error: 'mozilla::ct::Result mozilla::ct::SignaturePa
   41 |   Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Time, Duration,
      |          ^~~~~~~~~~~~~~~
In file included from /nix/store/420c27i4d1lvvmqw0wr619mydlwacdmi-nss-3.58-dev/include/nss/mozpkix/pkixder.h:41
                 from /build/firefox-81.0.2/security/ct/BTVerifier.h:13,
                 from /build/firefox-81.0.2/security/ct/BTVerifier.cpp:7,
                 from Unified_cpp_security_ct0.cpp:2:
/nix/store/420c27i4d1lvvmqw0wr619mydlwacdmi-nss-3.58-dev/include/nss/mozpkix/pkixtypes.h:279:18: warning: 'virt
  279 |   virtual Result CheckRevocation(EndEntityOrCA endEntityOrCA,
      |                  ^~~~~~~~~~~~~~~
In file included from Unified_cpp_security_ct0.cpp:29:
/build/firefox-81.0.2/security/ct/CTLogVerifier.cpp:41:10: warning:   by 'mozilla::ct::Result mozilla::ct::Sign
   41 |   Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Time, Duration,
      |          ^~~~~~~~~~~~~~~

@ajs124
Copy link
Member Author

@ajs124 ajs124 commented Oct 18, 2020

Same on staging as of 347696a… I thought I tested compiling Firefox, sorry.

@vcunat
Copy link
Member

@vcunat vcunat commented Oct 18, 2020

There's a major FF release scheduled in two days that should not require this nss version yet and I hope it might fix this error.

@andir
Copy link
Member

@andir andir commented Oct 20, 2020

I'm working on the firefox 82 package and as of now (it is still building) it doesn't require the newer NSS version. I'll try if it supports being built with this PR later.

@FRidh FRidh added this to WIP in Staging via automation Oct 20, 2020
@vcunat
Copy link
Member

@vcunat vcunat commented Oct 21, 2020

Bad "luck":

In file included from Unified_cpp_security_ct0.cpp:29:
/build/firefox-82.0/security/ct/CTLogVerifier.cpp:42:54: error: non-virtual member function marked 'override' h
                         const Input*, const Input*) override {
                                                     ^

EDIT: same for ESR 78.4.0.

@ajs124 ajs124 changed the title nss: 3.57 -> 3.58 nss: 3.57 -> 3.59 Nov 15, 2020
@ajs124
Copy link
Member Author

@ajs124 ajs124 commented Nov 15, 2020

ESR-78 still fails with 3.59

As does 82. yay. -.-

@vcunat
Copy link
Member

@vcunat vcunat commented Nov 15, 2020

Maybe we'll have to downgrade nss for 78? (for FF ESR and TB) Upstream apparently means 78 to be used with 3.53.x: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Releases

I expect 73 to be OK with 3.58 (and maybe even 3.59); it's scheduled for release in two days.

@stigtsp stigtsp mentioned this pull request Nov 17, 2020
10 tasks
@andir
Copy link
Member

@andir andir commented Nov 18, 2020

Ok, lets add an older version of NSS for those two? It isn't great but probably not worth blocking this much longer.

Firefox 83 now requires 3.58 and I'd rather pick this instead.

@vcunat
Copy link
Member

@vcunat vcunat commented Nov 18, 2020

Another thing that we can also do is to change/decouple cacert.src. That should be the only thing causing mass rebuilds, and I don't expect we need to update it so often. Maybe the output doesn't even change often.

@ajs124
Copy link
Member Author

@ajs124 ajs124 commented Nov 18, 2020

lets add an older version of NSS for those two

We still have 3.44, currently used for thunderbird-68.

That's probably too old, though.

@andir
Copy link
Member

@andir andir commented Nov 18, 2020

I'm looking into the rebuild amounts that NSS vs cacert are causing right now. It could be a nice way to handle this as long as we regulary bump cacert then.

@ajs124
Copy link
Member Author

@ajs124 ajs124 commented Nov 18, 2020

We've had some "nss only" rebuilds a while ago, when I was changing the build system to gyp and didn't get everything right on the first try. AFAIR the amount of rebuilds when just changing nss but not nss.src is at least an order of magnitude smaller.

@andir
Copy link
Member

@andir andir commented Nov 18, 2020

If my invocations with ./maintainers/scripts/rebuild-amount.sh are correct just NSS is ~100 packages and cacert is 9k+ packages.

@andir
Copy link
Member

@andir andir commented Nov 18, 2020

I'm trying to decouple cacert in the upcoming Firefox 83 PR. I'll also include this bump as it should then be just a minor rebuild.

andir added a commit to andir/nixpkgs that referenced this issue Nov 18, 2020
In [NixOS#100765] @vcunat pointed out that we could decouple cacert from the
NSS package to make it more rebuild friendly. Just rebuilding packages
that depend on NSS seems to be about ~100. Rebuilding all the packages
that depend on cacert is >9k as of this writing. This makes it much more
feasible to upgrade high-profile packages that are (rightfully) pedantic
on their NSS version like firefox and thunderbird.

[NixOS#100765]: NixOS#100765
andir added a commit to andir/nixpkgs that referenced this issue Nov 18, 2020
In [NixOS#100765] @vcunat pointed out that we could decouple cacert from the
NSS package to make it more rebuild friendly. Just rebuilding packages
that depend on NSS seems to be about ~100. Rebuilding all the packages
that depend on cacert is >9k as of this writing. This makes it much more
feasible to upgrade high-profile packages that are (rightfully) pedantic
on their NSS version like firefox and thunderbird.

[NixOS#100765]: NixOS#100765
colemickens added a commit to colemickens/nixpkgs that referenced this issue Nov 19, 2020
In [NixOS#100765] @vcunat pointed out that we could decouple cacert from the
NSS package to make it more rebuild friendly. Just rebuilding packages
that depend on NSS seems to be about ~100. Rebuilding all the packages
that depend on cacert is >9k as of this writing. This makes it much more
feasible to upgrade high-profile packages that are (rightfully) pedantic
on their NSS version like firefox and thunderbird.

[NixOS#100765]: NixOS#100765
@ajs124 ajs124 closed this Nov 19, 2020
Staging automation moved this from WIP to Done Nov 19, 2020
@ajs124 ajs124 deleted the upd/nss branch Nov 19, 2020
mweinelt pushed a commit that referenced this issue Jun 2, 2021
In [#100765] @vcunat pointed out that we could decouple cacert from the
NSS package to make it more rebuild friendly. Just rebuilding packages
that depend on NSS seems to be about ~100. Rebuilding all the packages
that depend on cacert is >9k as of this writing. This makes it much more
feasible to upgrade high-profile packages that are (rightfully) pedantic
on their NSS version like firefox and thunderbird.

[#100765]: #100765

(cherry picked from commit 94448ba)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Staging
  
Done
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants