Upgrade Firefox 49 to NSS 3.25

RESOLVED FIXED in Firefox 49

Status

()

Core
Security: PSM
P1
normal
RESOLVED FIXED
2 years ago
a year ago

People

(Reporter: kaie, Assigned: kaie)

Tracking

49 Branch
mozilla49
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox49 fixed)

Details

(Whiteboard: [psm-assigned])

Attachments

(4 attachments)

(Assignee)

Description

2 years ago
Firefox 49 should use NSS 3.25, which is currently being worked on.
(Assignee)

Updated

2 years ago
Summary: Upgrade Firefox 45 to NSS 3.25 → Upgrade Firefox 49 to NSS 3.25
(Assignee)

Updated

2 years ago
Depends on: 1275533
(Assignee)

Comment 1

2 years ago
Try build with today's snapshot 765c0adb71b7
https://treeherder.mozilla.org/#/jobs?repo=try&revision=d6d705067fc8
I'm a bit concerned about the Win7 cl tests failing. But I don't see any relation to NSS there so I think we should be good to land a beta.

Comment 3

2 years ago
(In reply to Franziskus Kiefer [:fkiefer or :franziskus] from comment #2)
> I'm a bit concerned about the Win7 cl tests failing. But I don't see any
> relation to NSS there so I think we should be good to land a beta.

That's Bug 1270962.
tl;dr - Win7 VM instances (ones with spot in the machine name) currently can't run clipboard related tests successfully. In this case, all the M-cl tests failures are in fact on spot machines, so the try push looks fine.

(On a side note, it might be a good idea to exclude things like Reftests in future NSS try pushes as well, since those tests test code that have zero relation to NSS.)
(Assignee)

Comment 4

2 years ago
(In reply to :Cykesiopka from comment #3)
> 
> (On a side note, it might be a good idea to exclude things like Reftests in
> future NSS try pushes as well, since those tests test code that have zero
> relation to NSS.)

Anything else that should be excluded? Would you like to recommend a complete trychooser parameter that seems reasonable for NSS try runs?
Maybe something like "try: -b do -p all -u xpcshell,cppunit,gtest,mochitests -t none"?
Assignee: nobody → kaie
Whiteboard: [psm-assigned]

Comment 6

2 years ago
Pushed by kaie@kuix.de:
https://hg.mozilla.org/integration/mozilla-inbound/rev/a2f23b6058a2
land NSS_3_25_BETA1, r=franziskus

Comment 7

2 years ago
(In reply to David Keeler [:keeler] (use needinfo?) from comment #5)
> Maybe something like "try: -b do -p all -u xpcshell,cppunit,gtest,mochitests
> -t none"?

Yeah, that looks reasonable.
Keywords: leave-open

Comment 8

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/a2f23b6058a2
Blocks: 975832
Depends on: 1278434
the configure check was not updated, while nsNSSCallbacks.cpp uses new values (TLS_ECDHE_*_WITH_AES_256_GCM_SHA384)
(In reply to Mike Hommey [:glandium] from comment #9)
> the configure check was not updated, while nsNSSCallbacks.cpp uses new
> values (TLS_ECDHE_*_WITH_AES_256_GCM_SHA384)

What is "the configure check"? What happens if it is not updated?
(In reply to Masatoshi Kimura [:emk] from comment #10)
> (In reply to Mike Hommey [:glandium] from comment #9)
> > the configure check was not updated, while nsNSSCallbacks.cpp uses new
> > values (TLS_ECDHE_*_WITH_AES_256_GCM_SHA384)
> 
> What is "the configure check"?

https://dxr.mozilla.org/mozilla-central/rev/b6f7d0eb61b1878d3d906bd231edf225463ece3f/old-configure.in#2469

> What happens if it is not updated?

Build failure against system NSS between 3.23 (currently checked minimal version) and 3.25 (better to fail during configure than during the build).
Per ChaCha20/Poly1305 precedent[1], we will update the configure check when NSS 3.25 RTM is merged to m-c.

[1] https://hg.mozilla.org/mozilla-central/rev/5e135136e21c
(In reply to Masatoshi Kimura [:emk] from comment #12)
> Per ChaCha20/Poly1305 precedent[1], we will update the configure check when
> NSS 3.25 RTM is merged to m-c.
> 
> [1] https://hg.mozilla.org/mozilla-central/rev/5e135136e21c

That's backwards. Building aurora *is* broken with versions that pass configure.
Created attachment 8762370 [details] [diff] [review]
NSS_3.25_RC0.patch

Tim, could you land this?
try run is at [1]

[1] https://treeherder.mozilla.org/#/jobs?repo=try&revision=f601aeda21cf092ee332a077555364b93c307ad6
Flags: needinfo?(ttaubert)
Comment on attachment 8762370 [details] [diff] [review]
NSS_3.25_RC0.patch

Review of attachment 8762370 [details] [diff] [review]:
-----------------------------------------------------------------

There are a few other files that need changing in the tree I think.  Kai usually just asks for review on a version number and we land the changes using the scripts.
(In reply to Martin Thomson [:mt:] from comment #15)
> Comment on attachment 8762370 [details] [diff] [review]
> NSS_3.25_RC0.patch
> 
> Review of attachment 8762370 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> There are a few other files that need changing in the tree I think.  Kai
> usually just asks for review on a version number and we land the changes
> using the scripts.

This should contain everything (the patch is created using the scripts). I'd have landed it if I'd have commit access... So I'll just leave this here until someone lands it or tells me what else to change.
(Assignee)

Comment 17

2 years ago
Comment on attachment 8762370 [details] [diff] [review]
NSS_3.25_RC0.patch

r-

I just ran command
  python client.py update_nss NSS_3_25_RC0
against mozilla-inbound, and the result contains several differences when compared to this patch, although both patches (your and mine) claim to be the diff between tag beta1 and rc0.

It seems something went wrong when preparing this patch.
Attachment #8762370 - Flags: review-
(Assignee)

Comment 18

2 years ago
Created attachment 8762541 [details]
Command to upgrade-to-325rc0
Attachment #8762370 - Attachment is obsolete: true
Attachment #8762541 - Flags: review?(franziskuskiefer)
(Assignee)

Updated

2 years ago
Attachment #8762541 - Attachment description: upgrade-to-325rc0.patch → Command to upgrade-to-325rc0
Attachment #8762541 - Attachment filename: upgrade-to-325rc0.patch → upgrade-to-325rc0
(Assignee)

Comment 19

2 years ago
Created attachment 8762542 [details] [diff] [review]
bump-configure-to-3.25.patch
Attachment #8762542 - Flags: review?(franziskuskiefer)
(Assignee)

Comment 20

2 years ago
(In reply to Kai Engert (:kaie) from comment #17)
> I just ran command
>   python client.py update_nss NSS_3_25_RC0
> against mozilla-inbound, and the result contains several differences when
> compared to this patch, although both patches (your and mine) claim to be
> the diff between tag beta1 and rc0.
> 
> It seems something went wrong when preparing this patch.

Ok, that's interesting.

I was wrong.

Although the patches look different, the difference is simply caused by the order of removal and insertion statements in the patch.

I confirmed that Franziskus' patch produces the identical output than the command I attached.
(Assignee)

Updated

2 years ago
Attachment #8762541 - Flags: review?(franziskuskiefer)
(Assignee)

Comment 21

2 years ago
Comment on attachment 8762370 [details] [diff] [review]
NSS_3.25_RC0.patch

Changing my earlier r- to an r+ as explained
Attachment #8762370 - Attachment is obsolete: false
Attachment #8762370 - Flags: review- → review+
(Assignee)

Comment 22

2 years ago
Comment on attachment 8762542 [details] [diff] [review]
bump-configure-to-3.25.patch

r=franziskus on IRC
Attachment #8762542 - Flags: review?(franziskuskiefer) → review+

Comment 23

2 years ago
Pushed by kaie@kuix.de:
https://hg.mozilla.org/integration/mozilla-inbound/rev/bb5316a4c7c2
land NSS_3_25_RC0, r=kaie
https://hg.mozilla.org/integration/mozilla-inbound/rev/3a53ff76208b
bump configure to require NSS 3.25, r=franziskus

Comment 24

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/bb5316a4c7c2
https://hg.mozilla.org/mozilla-central/rev/3a53ff76208b
Flags: needinfo?(ttaubert)

Comment 25

2 years ago
Pushed by kaie@kuix.de:
https://hg.mozilla.org/integration/mozilla-inbound/rev/c4be443b20d0
land NSS_3_25_RC1, r=me
Priority: -- → P1

Comment 26

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/c4be443b20d0
(Assignee)

Comment 27

2 years ago
Created attachment 8764553 [details]
upgrade-to-325rtm

Aurora 49 uses a beta version of NSS.

We must upgrade it to the final release tag.

This is a placeholder attachment, which lists the command used to uplift the RTM tag.
Attachment #8764553 - Flags: review?(franziskuskiefer)
Attachment #8764553 - Flags: approval-mozilla-aurora?
(Assignee)

Comment 28

2 years ago
Comment on attachment 8762542 [details] [diff] [review]
bump-configure-to-3.25.patch

This patch adjusts the configuration script to require the newer NSS version at build time.
Attachment #8762542 - Flags: approval-mozilla-aurora?
Attachment #8764553 - Flags: review?(franziskuskiefer) → review+
Comment on attachment 8764553 [details]
upgrade-to-325rtm

We want to make sure to release the non-beta version; please uplift this to aurora.
Attachment #8764553 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

Comment 30

2 years ago
bugherderuplift
https://hg.mozilla.org/releases/mozilla-aurora/rev/f20f82876561
status-firefox49: affected → fixed
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Keywords: leave-open
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
(Assignee)

Comment 31

2 years ago
Thank you
Attachment #8762542 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

Updated

a year ago
Depends on: 1304407
You need to log in before you can comment on or make changes to this bug.