On Fri, Nov 06, 2015 at 05:22:15PM +0100, Guido Günther wrote: > Hi, > On Thu, Nov 05, 2015 at 09:00:51PM +0100, Florian Weimer wrote: > > * Mike Hommey: > > > > > On ABI stability, both NSPR and NSS have a very strict policy. NSPR > > > receives very few ABI changes, and it's only adding new functions. NSS > > > has much more ABI changes, but also only adding new functions. > > > > This is incorrect, there have been unplanned ABI changes related to > > SSL_ImplementedCiphers variable: > > > > <http://openwall.com/lists/oss-security/2015/09/07/6> > > > > I will fix the glibc warning to be much more explicit about this. > > Wow, that one is ugly. > > > > > > The biggest issue with NSS version bumps is that defaults change, > > > such as cyphers, protocols, etc. That can have unexpected > > > consequences on existing setups. > > > > The typical complaint with NSS is the opposite, tha the defaults do > > not change fast enough. Iceweasel/Mozilla PSM overrides basically all > > the settings, so what you see there does not reflect upstream NSS > > defaults. > > > > (This is a significant concern for Fedora and its downstream because > > of the attempt crypto consolidation to NSS and greater NSS usage > > there.) > > But is this worse than backporting? In this case conservative would be > good for what we want to do.
I wonder how to move forward with this? I'll start preparing packages so we can at least to some testing and maybe provide current versions via backports. Cheers, -- Guido