From owner-freebsd-gecko@FreeBSD.ORG Thu Dec 29 17:57:40 2011 Return-Path: Delivered-To: gecko@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 89428106566B; Thu, 29 Dec 2011 17:57:40 +0000 (UTC) (envelope-from mi+thun@aldan.algebra.com) Received: from smtp02.lnh.mail.rcn.net (smtp02.lnh.mail.rcn.net [207.172.157.102]) by mx1.freebsd.org (Postfix) with ESMTP id 344FB8FC18; Thu, 29 Dec 2011 17:57:39 +0000 (UTC) Received: from mr17.lnh.mail.rcn.net ([207.172.157.37]) by smtp02.lnh.mail.rcn.net with ESMTP; 29 Dec 2011 12:57:40 -0500 Received: from smtp04.lnh.mail.rcn.net (smtp04.lnh.mail.rcn.net [207.172.157.104]) by mr17.lnh.mail.rcn.net (MOS 4.3.4-GA) with ESMTP id BGK46225; Thu, 29 Dec 2011 12:57:39 -0500 X-Auth-ID: anat Received: from 209-6-61-133.c3-0.sbo-ubr1.sbo.ma.cable.rcn.com (HELO utka.zajac) ([209.6.61.133]) by smtp04.lnh.mail.rcn.net with ESMTP; 29 Dec 2011 12:57:38 -0500 Message-ID: <4EFCAA12.6090606@aldan.algebra.com> Date: Thu, 29 Dec 2011 12:57:38 -0500 From: "Mikhail T." User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:7.0.1) Gecko/20111013 Thunderbird/7.0.1 MIME-Version: 1.0 To: Florian Smeets References: <4EF7C66F.9090005@aldan.algebra.com> <4EF81D1C.3090405@FreeBSD.org> <4EF9BC57.8050605@aldan.algebra.com> <4EFAD049.7000406@freebsd.org> <4EFB3B18.3050001@aldan.algebra.com> <4EFB959F.1030501@FreeBSD.org> <1940105790-1325110775-cardhu_decombobulator_blackberry.rim.net-695667878-@b18.c27.bise6.blackberry> <4EFC2680.4060007@freebsd.org> In-Reply-To: <4EFC2680.4060007@freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: gecko@freebsd.org Subject: Re: New nss and firefox X-BeenThere: freebsd-gecko@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Gecko Rendering Engine issues List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Dec 2011 17:57:40 -0000 On 29.12.2011 03:36, Florian Smeets wrote: > Mikhail, > > i'll try to explain our rationale one more time. Thank you very much for your patience. > a) Sweeping commits are still not allowed as the 9.0-RELEASE process is > NOT finished yet. I think, this is the key to our disagreement -- I do not think, updating nss from 3.12.x to 3.13.y qualifies as "sweeping". The shared library numbers do not change and the new version remains API-compatible and, apparently, even ABI-compatible. > b) We keep nss and ca_root_nss in sync Then ca_root_nss should be updated too. > c) not only firefox depends on nss Actually, firefox does NOT currently depend on nss (nor does thunderbird) -- an oversight, that should be rectified ASAP. And the first step towards that is bringing nss up to date. Now, there is, apparently, a reason, firefox build insists on nss-3.13.1 -- some sort of attack is possible against the earlier version(s). Comments in https://bugzilla.mozilla.org/show_bug.cgi?id=669061 mention that. Instead of protecting just the browser, FreeBSD ought to ship all of the nss-using software (and you included a long list in your previous e-mail) using the latest release available. If the API and ABI compatibilities remain, there is no reason against updating -- and good reasons for it. Yours, -mi