Closed
Bug 431204
(Franken-NSS)
Opened 16 years ago
Closed 16 years ago
Enable Firefox 2 to build with separate versions of softoken, nssckbi, and NSS
Categories
(NSS :: Build, defect, P2)
Tracking
(Not tracked)
RESOLVED
WONTFIX
3.11.10
People
(Reporter: nelson, Unassigned)
References
Details
(Whiteboard: wontfix in favor of another approach; see comment 11)
Attachments
(1 file)
872 bytes,
patch
|
wtc
:
review-
|
Details | Diff | Splinter Review |
Firefox 2 is still building with NSS 3.11.5, even though the NSS 3.11 branch has moved on to 3.11.9 and beyond. Bugs that have been filed against NSS on behalf of Firefox 2 have been fixed in NSS (some over a year ago), but those fixes are not getting into Firefox 2 because they are stuck on 3.11.5. Actually, they are using a special hybrid tag that is 3.11.5 for all parts of NSS except nssckbi. They are using the latest nssckbi, but the rest of NSS is 3.11.5. I believe Kai has been creating those tags. They are stuck on 3.11.5 because they want to retain the FIPS certification of softoken and freebl. The fixes that they lack are primarily or exclusively outside of softoken, not in the code that is FIPS evaluated. So the challenge is to find a way for Mozilla to build Firefox 2, including NSS, such that it includes the latest NSS 3.11.x for all of NSS except softoken and freebl. This is complicated by the fact that some files (mostly header files) are shared between softoken and the rest of NSS, and have been modified to change things outside of softoken. It may not be possible to build NSS and softoken at separate versions of the code in a single pass. We can explore having a script that builds NSS in several passes, pulling and building separate parts from separate versions (tags) in separate passes, producing one unified final result that contains components from separate versions.
Reporter | ||
Updated•16 years ago
|
Priority: -- → P2
Comment 1•16 years ago
|
||
(In reply to comment #0) > They are stuck on 3.11.5 because they want to retain the FIPS certification > of softoken and freebl. Who is "they"? For the most part MoCo isn't concerned with government use, we only care about FIPS because the NSS team has told us it's a good thing. If it's better to forget it and avoid using a franken-NSS maybe we should do that. You guys tell us.
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.15+
Reporter | ||
Comment 2•16 years ago
|
||
Franken-NSS :) Funny. I like it. Dave, someone must be (or must have once been) concerned with government use. I can't think of any other reason for Mozilla to value FIPS certification. I can see why certain Linux and Unix OSes that bundle Mozilla browsers and who sell to the government would care, but they have the option of building with and using "system NSS" (the OS'es copy of NSS) instead, IINM. Regardless, using FIPS certified crypto *is* a good thing. I don't mean to question that. Mozilla is using Franken-NSS today because, at the same time that it (or somebody) wants to use FIPS crypto, it also wants to use the latest set of root CA certs approved by Frank. (We all agree that's good.) So, today, Mozilla is using an NSS that's mostly 3.11.5 except for one little piece, which is the root CA certs. There are other parts of NSS that, like the root CA certs, are NOT part of the FIPS validation, for which bug fixes have been made, bug fixes that are desirable to Mozilla, I believe. What's being proposed here is a different Franken-NSS, made from different pieces. In that alternative, only the FIPS validated part of NSS would be from NSS 3.11.5 and all the rest would be 3.11.latest. Today, it's not easy to build that particular Franken-NSS from one checked out source tree in one build pass. This bug asks us (NSS team) to fix that.
Alias: Franken-NSS
Comment 3•16 years ago
|
||
dveditz's comment 1 is correct. It is some members of the NSS team who want Firefox to use a FIPS-validated version of NSS because this allows the government to use Firefox. It was not a request from the Mozilla team.
Reporter | ||
Comment 4•16 years ago
|
||
I would give Wan-Teh's attachment 319405 [details] [diff] [review] an r+ in this bug, if it was attached to this bug.
Reporter | ||
Comment 5•16 years ago
|
||
This patch obviates knowledge of NSS internal directory structure in PSM's Makefile (at least for the 3.11.latest builds).
Attachment #319486 -
Flags: review?(wtc)
Comment 6•16 years ago
|
||
Comment on attachment 319486 [details] [diff] [review] don't build freebl & softoken for Mozilla browsers Isn't this problem already solved by Kai's PSM makefile patch? We should rename the build variable SKIP_SOFTOKEN because it could be useful for other purposes, for example: http://pki.fedoraproject.org/wiki/ECC_Capable_NSS
Comment 7•16 years ago
|
||
This patches changes from one strict behavior "always build softoken" to another strict behavior "when building a mozilla client, always exclude softoken". It would be good to use this opportunity to provide flexibility, so PSM could specify what it wants.
Reporter | ||
Comment 8•16 years ago
|
||
In reply to comment 7, Are you suggesting that we use ifndef FRANKEN_NSS instead of ifndef MOZILLA_BUILD ? :)
Comment 9•16 years ago
|
||
How does this relate to bug 419030 now? It looks like the other bug went ahead and got fixed without this bug.
Comment 10•16 years ago
|
||
I think bug 419030 has a sufficient fix for the 1.8 branch / Firefox 2. I don't see a need right now to work on this bug, but we plan to work on improvements for trunk (3.12), to make sure the future will be simpler. In fact, I should file a bug which says "implement separate builds targets for softoken and rest-of-nss for NSS 3.12.x"
Comment 11•16 years ago
|
||
I've filed bug 433062 for NSS 3.12, going forward. I propose that this bug (431204) gets resolved WONTFIX. Should we learn that the simple approach in bug 419030 is not sufficient, we can reopen this one.
Comment 12•16 years ago
|
||
WONTFIXing, per comment 11. This is also no longer blocking.
Status: NEW → RESOLVED
Closed: 16 years ago
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.15+
Resolution: --- → WONTFIX
Whiteboard: wontfix in favor of another approach; see comment 11
Comment 13•16 years ago
|
||
Comment on attachment 319486 [details] [diff] [review] don't build freebl & softoken for Mozilla browsers See comment 6 and comment 7.
Attachment #319486 -
Flags: review?(wtc) → review-
You need to log in
before you can comment on or make changes to this bug.
Description
•