Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[staging]: nss + cacert -> 3.60 #106704

Merged
merged 2 commits into from Dec 17, 2020
Merged

[staging]: nss + cacert -> 3.60 #106704

merged 2 commits into from Dec 17, 2020

Conversation

ajs124
Copy link
Member

@ajs124 ajs124 commented Dec 12, 2020

Motivation for this change

Upstream release: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.60_release_notes

It has a bunch of CA changes, so I bumped cacert as well. This can (easily) be split in two PRs if necessary.

Firefox 83 still at least compiles with this, I haven't tested if it runs.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@ajs124 ajs124 requested review from andir and vcunat December 12, 2020 03:25
@ofborg ofborg bot requested a review from fpletz December 12, 2020 03:35
@ajs124 ajs124 added this to WIP in Staging via automation Dec 12, 2020
@ajs124 ajs124 moved this from WIP to Needs review in Staging Dec 12, 2020
TredwellGit
TredwellGit approved these changes Dec 13, 2020
View reviewed changes
Copy link
Member

@TredwellGit TredwellGit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I rebuilt my personal system with this.
Should be labeled security and backported since certificate authority certificates were removed.

@andir
Copy link
Member

andir commented Dec 14, 2020 via email

@ajs124
Copy link
Member Author

ajs124 commented Dec 14, 2020

I thought esr uses an older nss for exactly that reason?

@TredwellGit
Copy link
Member

nixpkgs/pkgs/applications/networking/browsers/firefox/common.nix

Line 110 in ec2fa1c

nss_pkg = if lib.versionOlder ffversion "83" then nss_3_53 else nss;

nixpkgs/pkgs/applications/networking/mailreaders/thunderbird/default.nix

Line 123 in ec2fa1c

nss_3_53

Staging automation moved this from Needs review to Ready Dec 14, 2020
vcunat
vcunat approved these changes Dec 14, 2020
View reviewed changes
Copy link
Member

@vcunat vcunat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All sounds good.

@ajs124
Copy link
Member Author

ajs124 commented Dec 15, 2020

As Firefox 84 is released now, we might want to merge the nss part of this and the new firefox, assuming it requires that nss, to master and only going through staging with cacert.

@vcunat
Copy link
Member

vcunat commented Dec 15, 2020
edited

Probably not needed. 84 is said to be paired to 3.59. Their calendar now gives about a month of space between NSS release and the corresponding FF release: https://wiki.mozilla.org/NSS:Release_Versions

@FRidh FRidh merged commit 11d6355 into NixOS:staging Dec 17, 2020
Staging automation moved this from Ready to Done Dec 17, 2020
@ajs124 ajs124 deleted the upd/nss branch December 17, 2020 12:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vcunat vcunat vcunat approved these changes

@TredwellGit TredwellGit TredwellGit approved these changes

@andir andir Awaiting requested review from andir

@fpletz fpletz Awaiting requested review from fpletz

Assignees
No one assigned
Labels
10.rebuild-darwin: 501+ 10.rebuild-darwin: 1001-2500 10.rebuild-linux: 501+ 10.rebuild-linux: 5001+
Projects
Staging
  
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@ajs124 @andir @TredwellGit @vcunat @FRidh