On May 11, 2009 at 8:44 AM PDT, Eddy Nigg<eddy_n...@startcom.org> wrote:
>>
>>> There are quite some roots which should be included and nobody seems
>>> to be working on it. Can Nelson or somebody advise if to provide
>>> patches for those roots or not?
Changes to the built-in root CAs, or the list of EV-enabled CA, involve
a more extensive human protocol than other patches. Not only do they go
through the normal patch review procedures, but also test builds of Firefox
with the change present are generated and the affected CAs are required to
test those test builds and confirm the correctness of the relevant changes
before those changes can be committed. IMO, there's not much point in a
person generating any one of the patches unless that person can carry
through all the steps.
One of the most time consuming aspects of that multi-step process is
building the test builds. Mozilla has a server, known as "tryserver"
that takes a supplied patch and builds Firefox with it on all the platforms
for which Mozilla usually builds Firefox releases. I believe it is open
only to Mozilla committers. At first glance, this seems almost ideal for
generating the test builds for the CA's to use in testing. However ...
Ideally, one could tell Tryserver to "Take Firefox source from the current
branch for FF 3.0.x or FF 3.5 (from CVS or Hg, as appropriate), plus NSS
from CVS tag X, plus this small patch, and build it", but presently that
does not seem possible. Instead, it is necessary to produce a patch that
contains ALL the differences between NSS on the trunk and NSS as it
presently appears on the relevant CVS or Hg branch used by Firefox,
as well as including your own intended changes, and ask TryServer to build
with that enormous patch. This is especially challenging for builds from Hg.
Alternatively, it would be nice if Tryserver could be told to just pull
and build NSS from the CVS trunk plus the additional CVS patch, and build
that for all platforms. But it doesn't seem setup to do that, either.
In short, I cannot tell you how to build a Firefox test build on all
platforms for the CAs to use in testing. I haven't done it myself.
AFAIK, only Kai and perhaps Wan-Teh have done so.
IMO, this is a problem that Mozilla {Co,Fo} must solve.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
