431204 - (Franken-NSS) Enable Firefox 2 to build with separate versions of softoken, nssckbi, and NSS

Status: RESOLVED WONTFIX

(NSS :: Build, defect, P2)

Description

[Nelson Bolyard (seldom reads bugmail)]

Firefox 2 is still building with NSS 3.11.5, even though the NSS 3.11 branch
has moved on to 3.11.9 and beyond.  Bugs that have been filed against NSS
on behalf of Firefox 2 have been fixed in NSS (some over a year ago), but
those fixes are not getting into Firefox 2 because they are stuck on 3.11.5.

Actually, they are using a special hybrid tag that is 3.11.5 for all parts of
NSS except nssckbi.  They are using the latest nssckbi, but the rest of NSS
is 3.11.5.  I believe Kai has been creating those tags.

They are stuck on 3.11.5 because they want to retain the FIPS certification 
of softoken and freebl.  The fixes that they lack are primarily or exclusively
outside of softoken, not in the code that is FIPS evaluated.

So the challenge is to find a way for Mozilla to build Firefox 2, including
NSS, such that it includes the latest NSS 3.11.x for all of NSS except 
softoken and freebl.  This is complicated by the fact that some files 
(mostly header files) are shared between softoken and the rest of NSS, 
and have been modified to change things outside of softoken.  

It may not be possible to build NSS and softoken at separate versions of the 
code in a single pass. We can explore having a script that builds NSS in 
several passes, pulling and building separate parts from separate versions
(tags) in separate passes, producing one unified final result that contains
components from separate versions.

Comment 1

[Daniel Veditz [:dveditz]]

(In reply to comment #0)
> They are stuck on 3.11.5 because they want to retain the FIPS certification 
> of softoken and freebl.

Who is "they"? For the most part MoCo isn't concerned with government use, we only care about FIPS because the NSS team has told us it's a good thing. If it's better to forget it and avoid using a franken-NSS maybe we should do that. You guys tell us.

Comment 2

[Nelson Bolyard (seldom reads bugmail)]

Franken-NSS :) Funny. I like it.

Dave, someone must be (or must have once been) concerned with government use.
I can't think of any other reason for Mozilla to value FIPS certification.
I can see why certain Linux and Unix OSes that bundle Mozilla browsers and 
who sell to the government would care, but they have the option of building 
with and using "system NSS" (the OS'es copy of NSS) instead, IINM.  

Regardless, using FIPS certified crypto *is* a good thing.  I don't mean to 
question that.  

Mozilla is using Franken-NSS today because, at the same time that it (or 
somebody) wants to use FIPS crypto, it also wants to use the latest set of
root CA certs approved by Frank.  (We all agree that's good.)  So, today,
Mozilla is using an NSS that's mostly 3.11.5 except for one little piece,
which is the root CA certs.  There are other parts of NSS that, like the 
root CA certs, are NOT part of the FIPS validation, for which bug fixes 
have been made, bug fixes that are desirable to Mozilla, I believe.  

What's being proposed here is a different Franken-NSS, made from different 
pieces.  In that alternative, only the FIPS validated part of NSS would be 
from NSS 3.11.5 and all the rest would be 3.11.latest.  

Today, it's not easy to build that particular Franken-NSS from one checked 
out source tree in one build pass.  This bug asks us (NSS team) to fix that.  

Comment 3

[Wan-Teh Chang]

dveditz's comment 1 is correct.  It is some members of the NSS
team who want Firefox to use a FIPS-validated version of NSS
because this allows the government to use Firefox.  It was not
a request from the Mozilla team.

Comment 4

[Nelson Bolyard (seldom reads bugmail)]

I would give Wan-Teh's attachment 319405 [details] [diff] [review] an r+ in this bug, 
if it was attached to this bug.

Comment 5

[Nelson Bolyard (seldom reads bugmail)]

Attachment: don't build freebl & softoken for Mozilla browsers

This patch obviates knowledge of NSS internal directory structure 
in PSM's Makefile (at least for the 3.11.latest builds).

Comment 6

[Wan-Teh Chang]

Comment on attachment 319486 [details] [diff] [review]
don't build freebl & softoken for Mozilla browsers

Isn't this problem already solved by Kai's PSM makefile patch?

We should rename the build variable SKIP_SOFTOKEN because
it could be useful for other purposes, for example:
http://pki.fedoraproject.org/wiki/ECC_Capable_NSS

Comment 7

[Kai Engert (:KaiE:)]

This patches changes from one strict behavior
  "always build softoken"
to another strict behavior
  "when building a mozilla client, always exclude softoken".

It would be good to use this opportunity to provide flexibility, so PSM could specify what it wants.

Comment 8

[Nelson Bolyard (seldom reads bugmail)]

In reply to comment 7,
Are you suggesting that we use 
ifndef FRANKEN_NSS instead of 
ifndef MOZILLA_BUILD ?  :)

Comment 9

[Daniel Veditz [:dveditz]]

How does this relate to bug 419030 now? It looks like the other bug went ahead and got fixed without this bug.

Comment 10

[Kai Engert (:KaiE:)]

I think bug 419030 has a sufficient fix for the 1.8 branch / Firefox 2.

I don't see a need right now to work on this bug,
but we plan to work on improvements for trunk (3.12), to make sure the future will be simpler.

In fact, I should file a bug which says "implement separate builds targets for softoken and rest-of-nss for NSS 3.12.x"

Comment 11

[Kai Engert (:KaiE:)]

I've filed bug 433062 for NSS 3.12, going forward.

I propose that this bug (431204) gets resolved WONTFIX.
Should we learn that the simple approach in bug 419030 is not sufficient, we can reopen this one.

Comment 12

[Samuel Sidler (old account; do not CC)]

WONTFIXing, per comment 11. This is also no longer blocking.

Comment 13

[Wan-Teh Chang]

Comment on attachment 319486 [details] [diff] [review]
don't build freebl & softoken for Mozilla browsers

See comment 6 and comment 7.