The NSS version used by Firefox 51 and Firefox 52 contain an accidental change of an API data structure, which breaks binary compatibility with previous NSS versions. Although this isn't an issue when NSS is built as part of Firefox, I would like to ask to get this fixed prior to the releases of Firefox 52. The new Firefox ESR version will likely be a major driver to cause NSS consumers to upgrade, such as in enterprise deployments. We should avoid that they upgrade to the ABI-incompatible change. We can do so, by upgrading Firefox 52 to NSS 3.28.3, which contains the fix, and restores the old compatibility. Also, there was a problem with the recent upgrade of Firefox to NSS 3.28.2. The version number reported by NSS 3.28.2 is the incorrect 3.28.1, which may Linux distributions to accidentally consume the 3.28.1, and which would prevent them from picking up the important fixes from NSS 3.28.2. If you agree to this fix, a single code patch will be added on top of what Firefox 52 is using today, see bug 1334108 attachment 8837341 [details] [diff] [review]. (For Firefox 53, because it uses NSS 3.29, I'll file a separate bug, which will request to upgrade to NSS 3.29.1)
We don't need to respin ff51. Setting ff53 to unaffected, because it's handled in bug 1339790 ff54 will be fixed with the next nightly merge on m-c
I don't think this can cause any issues, but I've started a try build of the esr52 branch with the suggested change (I assume testing esr52 is sufficient to cover mozilla-beta 52, too): https://treeherder.mozilla.org/#/jobs?repo=try&revision=c9e78c192d55b548b3ac0bad617ba0b113b5eded
Yeah, they're completely identical at this point. Thanks, Kai!
We found an additional issue with NSS 3.28, bug 1340103. We're trying to get this resolved ASAP.
Depends on: 1340103
Assignee: nobody → kaie
Priority: -- → P1
We identified another ABI breakage, and it has been fixed, too. The 3.28.3 release has been created, so we're ready to proceed. I've started another try build: https://treeherder.mozilla.org/#/jobs?repo=try&revision=57f9f6877d4850e220b4d188be08c3d52cfcefc0 For comparison purposes, here's a try build on the same branch, but without any patches (so we know which try test failures are expected): https://treeherder.mozilla.org/#/jobs?repo=try&revision=363a5d585206132d4176f7b8f743799b16556578
The try builds look good to me. I think it's safe to pick up these two correctness fixes, which have been released as 3.28.3
Approval Request Comment [Feature/Bug causing the regression]: nss 3.28 release, bug 957105 [User impact if declined]: shipping ABI incompatible NSS into enterprise deployments [Is this code covered by automated tests?]: yes [Has the fix been verified in Nightly?]: only in nightly NSS tests, not yet in nightly ff [Needs manual test from QE? If yes, steps to reproduce]: no [List of other uplifts needed for the feature/fix]: nothing else [Is the change risky?]: no [Why is the change risky/not risky?]: Passes all tests of both NSS and Firefox. [String changes made/needed]: none
Attachment #8839152 - Flags: approval-mozilla-beta?
Comment on attachment 8839152 [details] update-to-3.28.3.txt nss update to undo ABI breakage, let's get this in today for 52.0b8
Attachment #8839152 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Summary: Upgrade Firefox 52 (regular and ESR) to NSS 3.28.3 to fix a binary compatibility issue → Upgrade Firefox 52 (regular and ESR) to NSS 3.28.3 to fix binary compatibility issues
https://hg.mozilla.org/releases/mozilla-beta/rev/b570b28bb0f5092d293de5a70bc4d4c840460ee0 Should be auto-synced to esr52
Will be synced to es52, but isn't yet, so leaving as affected for now. :)
Setting qe-verify- based on Kai's assessment on manual testing needs (Comment 9) and the fact that this fix has automated coverage.
You need to log in before you can comment on or make changes to this bug.