nss update for jessie
Mike Hommey
mh at glandium.org
Sun Oct 2 07:11:33 UTC 2016
On Sun, Oct 02, 2016 at 08:39:03AM +0200, Florian Weimer wrote:
> * Mike Hommey:
>
> > On Sat, Oct 01, 2016 at 09:20:49PM +0200, Florian Weimer wrote:
> >> Hi Mike and all,
> >>
> >> I'm looking at the possibility of a nss security update for jessie.
> >>
> >> Do you suggest to rebase the package to a later upstream maintenance
> >> release, or to backport individual patches?
> >
> > The former is more tractable, although you'd get in the issue of
> > possibly changed defaults.
>
> But sometimes, the security fix is in the changed defaults.
>
> I know that historically, NSS relied on application updates to
> implement changing cipher preferences (in the sense that “if your
> application negotiated this cipher suite in 1998, you certainly want
> it to pick the same suite today”). But this means that all
> applications need to be patched for cipher deprecations and
> introduction of new ciphers (such as ECC). I don't think this matches
> current user expectations.
>
> I saw the most recent upstream release compiles in necessarily
> incomplete TLS 1.3 support. *This* is not something what we want, and
> I wonder what other traps are in the code base.
Note there's likely going to be another upstream release to fix that
particular issue. Also note that that particular problematic upstream
release is not in Debian yet.
Mike
More information about the pkg-mozilla-maintainers
mailing list