272902 - Add root CA certificate NSS patch to Thunderbird 1.0 branch.

Status: RESOLVED FIXED

(Thunderbird :: General, enhancement)

Description

[Frank Hecker]

I've approved a bug of new CAs to have their root CA certificates added to
Mozilla, Firefox, Thunderbird, etc. Nelson Bolyard has created an NSS patch to
add those new CA certs to the NSS built-in cert library (see bug 271585). I'm
requesting that this NSS patch for the new CA certs be added to future versions
of Thunderbird. (Nelson can explain more about the actual patch and how it
relates to the official NSS releases.)

Comment 1

[Scott MacGregor]

frank, isn't this just a works for me?

The NSS stuff is pulled by our trunk builds right? Why wouldn't the next (not
1.0) release not just get it?

Comment 2

[Nelson Bolyard (seldom reads bugmail)]

Scott, in the last week, numerous people have explained to me that the
aviary branch now has its own copy of NSS, and that I "must" checkin 
my NSS enhancements (new certs) on the aviary branch.  I replied saying
that I have checked-in on the NSS trunk and NSS 3.9 branches, and if 
the owners of any other branches wish to take these changes onto their
branches, then they must do so.  

I *think* (Frank can confirm, or not) that this bug exists as a request
that someone who works on the aviary branch should merge my changes
onto the aviary branch.  See bug 271585 for details.  Note that the 
NSS trunk and the NSS 3.9 branch patches are not the same.  So, if
the aviary branch is based on the NSS 3.9 branch, then it should 
take that version of the patch, but if aviary is based on NSS trunk
(which I doubt), then it should take the trunk version of the patch.

Comment 3

[Scott MacGregor]

Thanks Nelson. I'm pretty sure we decided before this all got started that this
was too late for the 1.0 train anyway so there is no need to port anything to
the aviary branch. All the apps will ship with it in their next release which is
from the trunk.

Sounds like we are all in the same page.

I'll won't fix this. Frank speak up if I'm misunderstanding anything.

Comment 4

[Frank Hecker]

Just to clarify: I am *not* requesting that this patch be added to Thunderbird
1.0. What I requesting is two things: First, that this patch be included in
Thunderbird 1.1. As I understand it, that's a done deal given that a) by 1.1
Thunderbird will be created from the main Mozilla trunk and b) Mozilla trunk
releases are (or will be) pulling NSS code from the NSS trunk. (Someone please
correct me if I'm in error on either point.)

Second, I'm also asking if it's possible to apply this patch to the aviary
branch post-TB 1.0, so that it could be picked up in any TB 1.0.x releases that
might be done (e.g., to fix security vulnerabilities). This could potentially
get the new CA certs out there and in default use earlier than 1.1, which I
think would be a plus for TB users. (For example, two of the new CA certs are
for CAs in Denmark and the Netherlands that will be enabling country-wide
issuance of individual email certs.)

As I understand it this patch is pretty low risk as these things go, given that
 it only changes the static data in the shared library that encapsulates the
list of builtin CA certs (e.g., nssckbi.dll for Windows). Hence my suggestion
that it be considered for the branch. But of course ultimately that's your call...

Re-opening the bug to reflect my comments above.

Comment 5

[Boris Zbarsky [:bzbarsky]]

This is branch-only, since trunk is pulling NSS_CLIENT_TAG (see
http://lxr.mozilla.org/seamonkey/source/client.mk#183).  Branch pulls
AVIARY_1_0_20040515_BRANCH, though (see
http://lxr.mozilla.org/aviarybranch/source/client.mk#60).

Comment 6

[Nelson Bolyard (seldom reads bugmail)]

Scott, hopefully Thunderbird is now using NSS 3.11.something and this 
bug can be resolved fixed or worksforme or something.

Comment 7

[Scott MacGregor]

Nelson's right, this can be marked as fixed and has been for quite some time :)