Hi, On Thu, Nov 05, 2015 at 09:00:51PM +0100, Florian Weimer wrote: > * Mike Hommey: > > > On ABI stability, both NSPR and NSS have a very strict policy. NSPR > > receives very few ABI changes, and it's only adding new functions. NSS > > has much more ABI changes, but also only adding new functions. > > This is incorrect, there have been unplanned ABI changes related to > SSL_ImplementedCiphers variable: > > <http://openwall.com/lists/oss-security/2015/09/07/6> > > I will fix the glibc warning to be much more explicit about this.
Wow, that one is ugly. > > > The biggest issue with NSS version bumps is that defaults change, > > such as cyphers, protocols, etc. That can have unexpected > > consequences on existing setups. > > The typical complaint with NSS is the opposite, tha the defaults do > not change fast enough. Iceweasel/Mozilla PSM overrides basically all > the settings, so what you see there does not reflect upstream NSS > defaults. > > (This is a significant concern for Fedora and its downstream because > of the attempt crypto consolidation to NSS and greater NSS usage > there.) But is this worse than backporting? In this case conservative would be good for what we want to do. Cheers, -- Guido