Given that the originally planned august 2016 batch is more complicated than usual, I suggest that we close bug 1290999 as wontfix, and split it into two separate updates: This bug is for tracking the second half of the changes, those which must be delayed until January 2017. I suggest that we release this update EXACTLY on 2017-01-02, January 2nd 2017, as part of new NSS branch releases, and uplift them into the Firefox 51 and Firefox 52 branches on the same date. Let me know if there are any concerns with this suggestion.
(In reply to Kai Engert (:kaie) from comment #0) > > I suggest that we release this update EXACTLY on 2017-01-02, January 2nd > 2017, as part of new NSS branch releases, and uplift them into the Firefox > 51 and Firefox 52 branches on the same date. > > Let me know if there are any concerns with this suggestion. Whenever possible, root removals should be added to the Central or Aurora phase of a Firefox release, so I would like to update my request as follows. Please remove the root certs indicated in the following bugs from NSS by September 12, so the changes will get into Firefox 51, which is currently scheduled for release on January 24. * 1250699 - Remove expiring Sertifitseerimiskeskus root cert -- not EV -- expires 8/26/2016 * 1251025 - Remove expiring E-Tugra root cert -- not EV -- expires 8/14/2016 * 1286696 - Remove S-TRUST Authentication and Encryption Root CA 2005:PN - not EV -- only email trust bit set * 1288250 - Remove non-audited VeriSign and Equifax root certs - not EV - only email trust bit set Please postpone the following bugs to the next batch of root changes. I will send you the full list in December, with target of Firefox 52. (so we would want to get these changes into an NSS release and into the FF52 train in early January) * 1266574 - Remove expiring Buypass root cert -- not EV -- expires 10/13/2016 * 1283326 - Remove RSA Security 2048 v3 root certificate -- not EV - CA request is to remove after November 8 * 1272156 - Remove French Government's IGC/A root - not EV -- CA request is to remove after December 31st 2016 * 1272158 - Remove Generalitat Valenciana root - not EV -- CA request is to remove after December 31st 2016 Thanks, Kathleen
Ooops! Looks like I should have read Bug #1296689 first... I agree with what you said in Bug #1296689, but I think we should move the removal of the RSA Security 2048 v3 root (Bug #1283326) into this later batch of root changes. > I suggest that we release this update EXACTLY on 2017-01-02, January 2nd > 2017, as part of new NSS branch releases, and uplift them into the Firefox > 51 and Firefox 52 branches on the same date. I would just change that to be release in early January (doesn't have to be Jan 2), and to only uplift to FF 52. Thanks!
Kathleen, thanks for your decisions. I've moved the RSA root removal bug to this January batch (see updated dependency list). Given we're no longer targetting Firefox 51, I agree we don't need to release exactly on January 2nd, but can complete the release at some time early in January, and create an NSS release to be landed into Firefox 52 aurora earlier than 2017-01-22. I don't know if we can delay the NSS 3.28 release (that targets Firefox 52) until early January. Maybe we can. If we cannot, we'll create a NSS 3.28.x release with the root CA changes for Firefox 52. I'll wait for the full list to arrive in december, before creating the patch and test builds.
Created attachment 8783858 [details] [diff] [review] incomplete-dez-1296697-v0.patch This is an incomplete patch, which should implement the requested changes that are known so far. I'll create an updated patch when the full list is know in december.
Created attachment 8811678 [details] [diff] [review] draft-1296697-v0b.patch This is an updated draft patch, that implements the changes from the current list. 1266574 1272158 1283326 1299951 1303377 1307981
(In reply to Kai Engert (:kaie) (on vacation) from comment #5) > ... the current list. > 1266574 1272158 1283326 1299951 1303377 1307981 Adding one more: Bug #1320783. Thanks!
Created attachment 8817966 [details] [diff] [review] Patch v1 This patch v1 is no longer a draft, it should include the complete set intended for this batch.
(In reply to Kai Engert (:kaie) from comment #7) > Created attachment 8817966 [details] [diff] [review] > Patch v1 A test build has been started. Build results will be displayed on Treeherder as they come in: https://treeherder.mozilla.org/#/jobs?repo=try&revision=0ff968e3d09e43aa1186a83d9df1b0159adf61e0 Once completed, builds and logs will be available at: https://firstname.lastname@example.org/
Thanks, Kai! I have: + reviewed the patch, and all of the changes are as requested. + tested with the MacOS test build, and confirmed all of the requested changes. I will ask the CAs to test.
Comment on attachment 8817966 [details] [diff] [review] Patch v1 Thanks Kathleen. Once you have feedback from all CAs, please set the patch to reviewed.
Comment on attachment 8817966 [details] [diff] [review] Patch v1 CA testing successfully completed. This patch is ready. Thanks!
NSS trunk for 3.29: https://hg.mozilla.org/projects/nss/rev/e40d83f856f7 NSS branch for 3.28.1: https://hg.mozilla.org/projects/nss/rev/1927091e7839