Closed Bug 508108 Opened 11 years ago Closed 11 years ago

NSS 3.12.3.2 release

Categories

(NSS :: Libraries, enhancement, P1)

3.12.3
enhancement

Tracking

(Not tracked)

RESOLVED FIXED
3.12.3.2

People

(Reporter: christophe.ravel.bugs, Assigned: christophe.ravel.bugs)

Details

Attachments

(5 files)

I need to build NSS 3.12.3 on some old platforms (namely AIX 5.1 and RHEL 2.1).

There are a few patches needed to build on these platforms.
Bug 507482: NSS 3.12.3 (and later) doesn't build on AIX 5.1
Bug 323196: NSS 3.11 does not build on RHEL21

These patches have already been applied to the trunk.

I need to apply these patches to the NSS_3_12_3_MINIBRANCH and create a NSS 3.12.3.2 from there.
Note 1: These patches are already applied to the trunk.

Note 2: The file mozilla/security/nss/lib/certdb/certi.h is different in NSS 3.12.3. There is no patch need for this file.
Attachment #392329 - Flags: superreview?(julien.pierre.boogz)
Attachment #392329 - Flags: review?(nelson)
Attachment #392330 - Flags: superreview?(julien.pierre.boogz)
Attachment #392330 - Flags: review?(nelson)
Comment on attachment 392329 [details] [diff] [review]
Fixes to build on AIX 5.1 and RHEL 2.1 (checked in)

r=nelson
Attachment #392329 - Flags: review?(nelson) → review+
Attachment #392330 - Flags: review?(nelson) → review+
Comment on attachment 392330 [details] [diff] [review]
Change version to NSS 3.12.3.2 (checked in)

r=nelson
Status: NEW → ASSIGNED
Attachment #392330 - Flags: review+
Comment on attachment 392330 [details] [diff] [review]
Change version to NSS 3.12.3.2 (checked in)

r=alexei
Comment on attachment 392329 [details] [diff] [review]
Fixes to build on AIX 5.1 and RHEL 2.1 (checked in)

r=alexei
Attachment #392329 - Flags: review+
Attachment #392329 - Flags: superreview?(julien.pierre.boogz)
Checked in on NSS_3_12_3_MINIBRANCH:

Checking in security/coreconf/Linux.mk;
/cvsroot/mozilla/security/coreconf/Linux.mk,v  <--  Linux.mk
new revision: 1.35.14.1; previous revision: 1.35
done
Checking in security/nss/cmd/lib/pk11table.h;
/cvsroot/mozilla/security/nss/cmd/lib/pk11table.h,v  <--  pk11table.h
new revision: 1.7.4.1; previous revision: 1.7
done
Checking in security/nss/cmd/pk11mode/pk11mode.c;
/cvsroot/mozilla/security/nss/cmd/pk11mode/pk11mode.c,v  <--  pk11mode.c
new revision: 1.25.4.1; previous revision: 1.25
done
Checking in security/nss/lib/libpkix/include/pkixt.h;
/cvsroot/mozilla/security/nss/lib/libpkix/include/pkixt.h,v  <--  pkixt.h
new revision: 1.16.2.1; previous revision: 1.16
done
Checking in security/nss/lib/nss/nss.h;
/cvsroot/mozilla/security/nss/lib/nss/nss.h,v  <--  nss.h
new revision: 1.64.2.2; previous revision: 1.64.2.1
done
Checking in security/nss/lib/softoken/softkver.h;
/cvsroot/mozilla/security/nss/lib/softoken/softkver.h,v  <--  softkver.h
new revision: 1.8.2.2; previous revision: 1.8.2.1
done
Checking in security/nss/lib/softoken/softoknt.h;
/cvsroot/mozilla/security/nss/lib/softoken/softoknt.h,v  <--  softoknt.h
new revision: 1.5.4.1; previous revision: 1.5
done
Checking in security/nss/lib/util/nssutil.h;
/cvsroot/mozilla/security/nss/lib/util/nssutil.h,v  <--  nssutil.h
new revision: 1.2.2.2; previous revision: 1.2.2.1
done
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Attachment #392329 - Attachment description: Fixes to build on AIX 5.1 and RHEL 2.1 → Fixes to build on AIX 5.1 and RHEL 2.1 (checked in)
Attachment #392330 - Attachment description: Change version to NSS 3.12.3.2 → Change version to NSS 3.12.3.2 (checked in)
Attachment #392330 - Flags: superreview?(julien.pierre.boogz)
I shouldn't have closed the bug since I haven't tagged the tree yet.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
The PayPal certificate as of NSS 3.12.3 RTM is expired:

chains.sh: Verifying certificate(s)  PayPalEE.cert with flags  -d AllDB   -o OID.2.16.840.1.113733.1.7.23.6 
vfychain -d AllDB -pp -vv    -o OID.2.16.840.1.113733.1.7.23.6  /net/guybrush.red.iplanet.com/export/mccrel3/security/securitytip/builds/20090804.1/wozzeck_Solaris8/mozilla/security/nss/tests/libpkix/certs/PayPalEE.cert 
Chain is bad, -8164 = This certificate is not valid.
PROBLEM WITH THE CERT CHAIN:
CERT 0. PayPalEE :
  ERROR -8181: Peer's Certificate has expired.

Returned value is 1, expected result is pass
chains.sh: #2997: RealCerts: Verifying certificate(s)  PayPalEE.cert with flags  -d AllDB   -o OID.2.16.840.1.113733.1.7.23.6  - FAILED

This patch contains the PayPal certs from the current trunk. I need to update the NSS_3_12_3_MINIBRANCH with these new certs.
Attachment #392787 - Flags: review?(alexei.volkov.bugs)
Comment on attachment 392787 [details]
Update PayPal certs in nss/tests/libpkix/certs (checked in)

r=alexei
Attachment #392787 - Flags: review?(alexei.volkov.bugs) → review+
Comment on attachment 392787 [details]
Update PayPal certs in nss/tests/libpkix/certs (checked in)

Checking in PayPalEE.cert;
/cvsroot/mozilla/security/nss/tests/libpkix/certs/PayPalEE.cert,v  <--  PayPalEE.cert
new revision: 1.2.2.1; previous revision: 1.2
done
Checking in PayPalICA.cert;
/cvsroot/mozilla/security/nss/tests/libpkix/certs/PayPalICA.cert,v  <--  PayPalICA.cert
new revision: 1.1.22.1; previous revision: 1.1
done
Attachment #392787 - Attachment description: Update PayPal certs → Update PayPal certs (checked in)
Attachment #392787 - Attachment description: Update PayPal certs (checked in) → Update PayPal certs in nss/tests/libpkix/certs (checked in)
Attachment #392798 - Flags: review?(julien.pierre.boogz)
Attachment #392798 - Flags: superreview?(alexei.volkov.bugs)
Comment on attachment 392798 [details] [diff] [review]
Add NSS_NO_FORK_CHECK option in config.mk (checked in)

This patch was committed on the trunk. I need it on the NSS_3_12_3_MINIBRANCH.

See Bug 508259 - Pk11mode crashed on Linux2.4
Attachment #392798 - Flags: superreview?(alexei.volkov.bugs) → superreview+
Comment on attachment 392798 [details] [diff] [review]
Add NSS_NO_FORK_CHECK option in config.mk (checked in)

Please collapse two 'DEFINES +=' lines in to one. r=alexei
Attachment #392798 - Flags: review?(julien.pierre.boogz) → review+
Comment on attachment 392798 [details] [diff] [review]
Add NSS_NO_FORK_CHECK option in config.mk (checked in)

Checking in config.mk;
/cvsroot/mozilla/security/coreconf/config.mk,v  <--  config.mk
new revision: 1.27.2.1; previous revision: 1.27
done


Alexei: your comment is valid. But I have already committed this patch on the trunk and I don't want to have a different patch on the mini branch.

If you think we should change the trunk, please reopen bug 508259.
Attachment #392798 - Attachment description: Add NSS_NO_FORK_CHECK option in config.mk → Add NSS_NO_FORK_CHECK option in config.mk (checked in)
Source tree tagged as NSS_3_12_3_2_RC0 on NSS_3_12_3_MINIBRANCH.
Christophe,
Isn't the mini-branch short-lived by definition ?
Development continues on the trunk, which is not frozen, except for FIPS. So I think it's OK to make the change suggested by Alexei only on the trunk and not on the mini-branch which is now tagged.
I have reopened bug 508259 to suggest another fix enhancement for the trunk.
I'm closing this one since 3.12.3.2 is done.
Status: REOPENED → RESOLVED
Closed: 11 years ago11 years ago
Resolution: --- → FIXED
Comment on attachment 392798 [details] [diff] [review]
Add NSS_NO_FORK_CHECK option in config.mk (checked in)

We are using both NO_FORK_CHECK and NO_CHECK_FORK.
We need better quality control of our code.  (I reviewed
the patch attachment 348293 [details] [diff] [review] in bug 462293, so I'm also
responsible.)
I am not sure that NO_FORK_CHECK and NO_CHECK_FORK are identical.
From what I understand:

- NO_FORK_CHECK means the code in softoken will not check for a fork
- NO_CHECK_FORK means that the test program pk11mode will not check if the softoken checks the fork correctly.

Is it correct ?
Wan-Teh,
I am aware of that issue. As soon as the tree is reopen for FIPS, I plan on making these defines consistent between pk11mode and softoken.
Attachment #393887 - Flags: review?(christophe.ravel.bugs)
Comment on attachment 393887 [details] [diff] [review]
Merge of all 5 patches for bug 494107

r=christophe
Attachment #393887 - Flags: review?(christophe.ravel.bugs) → review+
Checking in coreconf/HP-UX.mk;
/cvsroot/mozilla/security/coreconf/HP-UX.mk,v  <--  HP-UX.mk
new revision: 1.11.124.1; previous revision: 1.11
done
Checking in coreconf/Linux.mk;
/cvsroot/mozilla/security/coreconf/Linux.mk,v  <--  Linux.mk
new revision: 1.35.14.2; previous revision: 1.35.14.1
done
Checking in coreconf/Linux2.1.mk;
/cvsroot/mozilla/security/coreconf/Linux2.1.mk,v  <--  Linux2.1.mk
new revision: 1.6.124.1; previous revision: 1.6
done
Checking in coreconf/Linux2.2.mk;
/cvsroot/mozilla/security/coreconf/Linux2.2.mk,v  <--  Linux2.2.mk
new revision: 1.6.124.1; previous revision: 1.6
done
Checking in coreconf/Linux2.4.mk;
/cvsroot/mozilla/security/coreconf/Linux2.4.mk,v  <--  Linux2.4.mk
new revision: 1.6.124.1; previous revision: 1.6
done
Checking in coreconf/Linux2.5.mk;
/cvsroot/mozilla/security/coreconf/Linux2.5.mk,v  <--  Linux2.5.mk
new revision: 1.5.124.1; previous revision: 1.5
done
Checking in coreconf/Linux2.6.mk;
/cvsroot/mozilla/security/coreconf/Linux2.6.mk,v  <--  Linux2.6.mk
new revision: 1.5.54.1; previous revision: 1.5
done
Checking in coreconf/SunOS5.mk;
/cvsroot/mozilla/security/coreconf/SunOS5.mk,v  <--  SunOS5.mk
new revision: 1.25.42.1; previous revision: 1.25
done
Checking in nss/lib/ckfw/builtins/config.mk;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/config.mk,v  <--  config.mk
new revision: 1.13.4.1; previous revision: 1.13
done
Checking in nss/lib/ckfw/capi/config.mk;
/cvsroot/mozilla/security/nss/lib/ckfw/capi/config.mk,v  <--  config.mk
new revision: 1.2.2.1; previous revision: 1.2
done
Checking in nss/lib/freebl/Makefile;
/cvsroot/mozilla/security/nss/lib/freebl/Makefile,v  <--  Makefile
new revision: 1.103.2.1; previous revision: 1.103
done
Checking in nss/lib/nss/config.mk;
/cvsroot/mozilla/security/nss/lib/nss/config.mk,v  <--  config.mk
new revision: 1.32.16.1; previous revision: 1.32
done
Checking in nss/lib/smime/config.mk;
/cvsroot/mozilla/security/nss/lib/smime/config.mk,v  <--  config.mk
new revision: 1.26.2.1; previous revision: 1.26
done
Checking in nss/lib/softoken/legacydb/config.mk;
/cvsroot/mozilla/security/nss/lib/softoken/legacydb/config.mk,v  <--  config.mk
new revision: 1.8.2.1; previous revision: 1.8
done
Checking in nss/lib/sqlite/config.mk;
/cvsroot/mozilla/security/nss/lib/sqlite/config.mk,v  <--  config.mk
new revision: 1.5.2.1; previous revision: 1.5
done
Checking in nss/lib/ssl/config.mk;
/cvsroot/mozilla/security/nss/lib/ssl/config.mk,v  <--  config.mk
new revision: 1.26.2.1; previous revision: 1.26
done
Checking in nss/lib/util/config.mk;
/cvsroot/mozilla/security/nss/lib/util/config.mk,v  <--  config.mk
new revision: 1.4.42.1; previous revision: 1.4
done
Target Milestone: --- → 3.12.3.2
Comment on attachment 393887 [details] [diff] [review]
Merge of all 5 patches for bug 494107

In coreconf/HP-UX.mk:

>-ifeq ($(OS_TEST),ia64)
>-	DSO_LDOPTS	+= +b '$$ORIGIN'
>+ifeq ($(USE_64), 1)
>+RPATH   = +b '$$ORIGIN'
> endif

This is not equivalent to the original code for ia64.
On HP-UX, you can do both 32-bit and 64-bit builds for
ia64.  The original code uses +b '$$ORIGIN' for both
32-bit and 64-bit builds for ia64.  The new code uses
+b '$$ORIGIN' only for 64-bit builds for ia64.

I think this is what you want:

RPATH   = +b '$$ORIGIN'
ifneq ($(OS_TEST),ia64)
# pa-risc
ifndef USE_64
RPATH   =
endif
endif

In coreconf/Linux.mk:

>+# The -rpath '$$ORIGIN' linker option instructs this library to search for its
>+# dependencies in the same directory where it resides.
>+ifeq ($(BUILD_SUN_PKG), 1)
>+ifeq ($(USE_64), 1)
>+RPATH = -Wl,-rpath,'$$ORIGIN:/opt/sun/private/lib64:/opt/sun/private/lib'
>+else
>+RPATH = -Wl,-rpath,'$$ORIGIN:/opt/sun/private/lib'
>+endif
>+else
>+ifdef MOZILLA_CLIENT
>+RPATH = -Wl,-rpath,'$$ORIGIN'
>+endif
>+endif

Please remove the MOZILLA_CLIENT part.  You missed my patch (attachment 383290 [details] [diff] [review])
in bug 494107.
Wan-Teh,

re: comment 24, 

1) I wasn't aware that you could build 32-bit on ia64. Since this issue exists in the trunk too and is not a result of the backport, I think it is preferrable to reopen bug 494107 and deal with that problem only on the trunk.
This 3.12.3.2 release will never be built on ia64 (or even PA-RISC, we had that supported in 3.12.3 RTM).

2) I could have sworn that I had merged all 5 patches, I don't know how that happened. It wouldn't affect the Sun build of 3.12.3.2, since we don't set MOZILLA_CLIENT. But I have checked this change in anyway.

Checking in Linux.mk;
/cvsroot/mozilla/security/coreconf/Linux.mk,v  <--  Linux.mk
new revision: 1.35.14.3; previous revision: 1.35.14.2
done
There is one more issue in this release, which is about root certificates.

NSS 3.12.3.1 included some new root certificates for Firefox. But these are causing problems, and are unwanted by Sun for the 3.12.3.2 build. There are 2 ways to solve this :

1) I can back out certdata.c, certdata.txt, and nssckbi.h in mozilla/security/nss/lib/ckfw/builtins to the same level as NSS_3_12_3_RTM on the NSS_3_12_3_MINIBRANCH

2) Christophe can do the Sun build by checking out the NSS_3_12_3_MINIBRANCH first, then checking out those 3 files from NSS_3_12_3_RTM, then tagging the result as NSS_3_12_3_2_RC1 .

I prefer the 1) approach . 3.12.3.2 should be the last release we do from this branch. Everything else should be from the trunk after that .
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
It would be strange if NSS_3_12_3_2_RTM were not better than
NSS_3_12_3_1_RTM in all aspects.

You can create NSS_3_12_3_2_RTM from the NSS_3_12_3_MINIBRANCH,
and then create a NSS_3_12_3_2_WITH_CKBI_1_73_RTM tag using
mozilla/security/nss/lib/ckfw/builtins from NSS_3_12_3_RTM.
Then you can give NSS_3_12_3_2_WITH_CKBI_1_73_RTM binary
releases to Sun products.
Comment on attachment 393887 [details] [diff] [review]
Merge of all 5 patches for bug 494107

Julien, why does NSS 3.12.3.2 need this RPATH patch, if
you're planning to build NSS 3.12.3.2 only on AIX 5.1 and
RHEL 2.1?  In bug 494107, I only see RHEL 4 and Solaris
mentioned.  So AIX 5.1 and RHEL 2.1 should not need this
patch.
Wan-Teh,

Re: comment 28,
One product that is supported only on RHEL 2.1 and RHEL 3 requires this rpath fix to run. Since the NSS patch could be installed asynchronously from the app patches, installing a new Sun NSS patch on RHEL 2.1 without this fix would have broken the app. So, we needed to respin our RHEL 2.1 build with this fix for that issue. I am not aware that the rpath fix was required on any other platform.
Comment on attachment 392798 [details] [diff] [review]
Add NSS_NO_FORK_CHECK option in config.mk (checked in)

Christophe,

On the trunk, Linux2.4.mk has

NSS_NO_FORK_CHECK=1

But you didn't backport that change to NSS_3_12_3_MINIBRANCH.
Is that an oversight?
It wasn't an oversight. The change on the trunk was made to avoid defining the variable manually in the Linux 2.4 build, which was done for 3.12.3.2 .
Re: comment 28,
The reason RHEL 2.1 and RHEL 3 were not mentioned in bug 494107 is because we had dropped support for those platforms in 3.12 . We have now been asked to support them again . The same fix that was made for RHEl4 in 3.12.4 also applies to RHEL2.1 and RHEL3.
Wan-Teh,

re: comment 27, we can't exactly do what you propose. There are other changes in the builtins directory that we want which are on the NSS_3_12_3_MINIBRANCH , specifically the config.mk change which is part of attachment 393887 [details] [diff] [review] . We have to tag only the 3 files I mentioned in comment 26 .
Source tree tagged as NSS_3_12_3_2_RC1 on NSS_3_12_3_MINIBRANCH.

Source tree tagged as NSS_3_12_3_2_WITH_CKBI_1_73_RC1 on NSS_3_12_3_MINIBRANCH with mozilla/security/nss/lib/ckfw/builtins/certdata.c,mozilla/security/nss/lib/ckfw/builtins/certdata.txt,mozilla/security/nss/lib/ckfw/builtins/nssckbi.h from NSS_3_12_3_RTM
Christophe,

If you haven't released 3.12.3.2 yet, could you include
the patch (attachment 370674 [details] [diff] [review]) in bug 486537?  Without it,
every Linux distribution has to patch their NSS 3.12.3.1
package.  Thanks.
Although we haven't tagged it as RTM, we are extensively testing the current build we have and can't restart with a new build. So I can't include this patch for 3.12.3.2 at this time.
Wan-Teh,

Re: comment 35,
Also, we are only rebuilding 3.12.3.2 for Linux 2.4 kernel on RHEL 2.1 32-bit . We decided not to rebuild our 2.6 kernel build, either 32-bit or 64-bit, which was 3.12.3 RTM released back in April . The fix for bug 486537 is only relevant to 64 bit and thus even if we include it in this branch, our Sun customers would not get it immediately. That fix is already in 3.12.4, however.
Tagged as NSS_3_12_3_2_RTM and NSS_3_12_3_2_WITH_CKBI_1_73_RTM.
Status: REOPENED → RESOLVED
Closed: 11 years ago11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.