Closed Bug 1107731 Opened 10 years ago Closed 10 years ago

Upgrade Mozilla 36 and 37 to use NSS 3.17.4

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla38
Tracking Flags:
Tracking Status
firefox36 + fixed
firefox37 --- fixed
firefox38 --- fixed

People

(Reporter: emk, Assigned: KaiE)

References

(Blocks 1 open bug)

Details

Attachments

(2 files)

Update Aurora 37 to NSS_3_17_4_RC0
57.66 KB, patch
Sylvestre
: approval-mozilla-aurora+
Details | Diff | Splinter Review
Update Beta 36 to NSS_3_17_4_RC0
99.72 KB, patch
Sylvestre
: approval-mozilla-beta+
Details | Diff | Splinter Review 
To take a change from bug 1084986.
Summary: Upgrade Mozilla 37 to use NSS 3.17.4 → Upgrade Mozilla 37 to use NSS 3.18 beta
Masatoshi-san, does it make sense to update 36 (first week of Aurora this week) with this change as well?
Flags: needinfo?(VYV03354)
It would be better to update 36, but not mandatory.
Flags: needinfo?(VYV03354)
We just completed a release version of NSS 3.17.3 for the purpose of finalizing the NSS changes for Firefox 36.

If you required the fix from bug 1084986 for Aurora 36, we'd be required to make another NSS release prior to the next Firefox merge day.
Then we can continue to use SSL_ERROR_NO_CYPHER_OVERLAP for 36.
Blocks: 1113780
No longer blocks: 1098371
I've landed a beta5 of 3.18 into mozilla-central for Firefox 37, with r=wtc


We'd like to get several other changes into NSS 3.18 and into Firefox 37, but they aren't finalized yet, so we'll probably have to ask for landing approval a couple of times.
Summary: Upgrade Mozilla 37 to use NSS 3.18 beta → Upgrade Mozilla 37 to use NSS 3.18
Whiteboard: [leave open]
Target Milestone: --- → mozilla37
status-firefox37: --- → affected
Blocks: 1119784
(In reply to Kai Engert (:kaie) from comment #3)
> If you required the fix from bug 1084986 for Aurora 36, we'd be required to
> make another NSS release prior to the next Firefox merge day.

Can we get the fix for bug 1084986 on Beta 36 now?
Flags: needinfo?(kaie)
(In reply to :Gavin Sharp [email: gavin@gavinsharp.com] from comment #10)
> (In reply to Kai Engert (:kaie) from comment #3)
> > If you required the fix from bug 1084986 for Aurora 36, we'd be required to
> > make another NSS release prior to the next Firefox merge day.
> 
> Can we get the fix for bug 1084986 on Beta 36 now?

I had assumed you had given up targetting 36 based on comment 3 and comment 4.

If you really want to target 36, then my original comment 3 is still correct

I don't recommend taking NSS 3.18 for Firefox 36, because it's not ready yet, we plan some more NSS changes during this cycle, which should happen during Aurora, and which are probably too risky at the last minute of the Firefox beta cycle.

If you want the fix for bug 1084986 and bug 1113780 in Firefox 36, we should do a NSS 3.17.x branch release, with that change, only.

Gavin, the answer to your question is:
  "If you say you really want it in Firefox 36, then we can do it, it requires
   that we create a NSS 3.17.4 release (based on existing 3.17.3 plus the bugfix
   you want)."
Flags: needinfo?(kaie) → needinfo?(gavin.sharp)
(In reply to Kai Engert (:kaie) from comment #11)
> Gavin, the answer to your question is:
>   "If you say you really want it in Firefox 36, then we can do it, it
> requires
>    that we create a NSS 3.17.4 release (based on existing 3.17.3 plus the
> bugfix
>    you want)."

I don't have a great sense of how much work or risk is involved with that, but I do really want the fix in Firefox 36.
Flags: needinfo?(gavin.sharp)
(In reply to :Gavin Sharp [email: gavin@gavinsharp.com] from comment #12)
> I don't have a great sense of how much work or risk is involved with that,
> but I do really want the fix in Firefox 36.

Gavin, after an assessment of all the changes that have recently been included in NSS, it became clear that all changes have been of the "correctness fix" type. The most significant fixes were to NSS TLS server code (not used by Firefox IIUC) and libpkix (not used by Firefox).

Are you willing to accept/approve taking an NSS release for Firefox 36 beta, that has these correctness fixes? We would be able to deliver that within the next couple of days.

The list of changes can be seen here:
https://hg.mozilla.org/projects/nss/graph

(Everything that's on the main yellow line, after NSS_3_17_3_RTM from 7 weeks ago.)
Flags: needinfo?(gavin.sharp)
(In reply to Kai Engert (:kaie) from comment #13)
> Are you willing to accept/approve taking an NSS release for Firefox 36 beta,
> that has these correctness fixes? We would be able to deliver that within
> the next couple of days.

You're a much better judge of the potential impact of these changes than I am. If you're very confident that there are no changes that introduce risk to Firefox in that delta, then that sounds like the right plan.
Flags: needinfo?(gavin.sharp)
If the changes are safe, yes, we could take them to fix bug 1098371.
status-firefox36: --- → affected
tracking-firefox36: --- → +
Because no new APIs have been added (or changed) since the previous NSS release, it has been decided to use version number 3.17.4 (instead of 3.18).

I'll push the 3.17.4 release candidate to inbound soon (when it's open).

I suggest to land it into aurora and beta, too.

Assuming no further issues, we intend to declare it a final NSS release early next week.
Summary: Upgrade Mozilla 37 to use NSS 3.18 → Upgrade Mozilla 36 and 37 to use NSS 3.17.4
Assignee: nobody → kaie

        Attachment #8553298 -
        Flags: approval-mozilla-aurora?

    
  

        Attachment #8553302 -
        Flags: approval-mozilla-beta?

    
    

    
  
The patches for aurora and beta might seem big, but I looked through them, and most of the changes are in comments, in license headers, in tests, and in code not used by Firefox.

The few effective changes all look very safe, and are of correctness fix quality, as said before.

        Attachment #8553298 -
        Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

        Attachment #8553302 -
        Flags: approval-mozilla-beta? → approval-mozilla-beta+

    
    

    
  
https://hg.mozilla.org/releases/mozilla-aurora/rev/6b4103d8c3f7
https://hg.mozilla.org/releases/mozilla-beta/rev/f4e1d64f9ab9

Leaving the flags set to affected per discussion w/ Kai until the RTM tag change is pushed.

          status-firefox38:
          --- → affected
Target Milestone: mozilla37 → mozilla38

    
    

    
  
The 3.17.4 release candidate has been tagged as final release without further changes.

    
  
Whiteboard: [leave open]
No longer blocks: 1119784
Depends on: 1119784

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: