julien.pie...@oracle.com> wrote: > Oracle still ships NSS with many products even though we are no > longer actively involved with its development.
It is important to have somebody at least monitoring the bugs filed/fixed in the NSS component in bugzilla. See https://bugzilla.mozilla.org/userprefs.cgi?tab=component_watch for how you can subscribe to a feed of all NSS bug discussions. Chris Newman wrote: > --On October 24, 2012 22:19:40 -0700 Julien Pierre > <julien.pie...@oracle.com> wrote: > > Oracle still ships NSS with many products even though we are no > > longer actively involved with its development. We do pick up new > > releases from time to time. We picked up 3.13.x last year and I'm > > looking into picking up 3.14 . > >> 2) > >> - The NSS license has changed to MPL 2.0. Previous releases were > >> released under a MPL 1.1/GPL 2.0/LGPL 2.1 tri-license. For more > >> information about MPL 2.0, please see > >> http://www.mozilla.org/MPL/2.0/FAQ.html. For an additional > >> explantation > >> on GPL/LGPL compatibility, see security/nss/COPYING in the source > >> code. > > > > This may be a serious problem also, but IANAL, so that is not for > > me to decide. > > Will vulnerability fixes can be provided on the NSS 3.13.x patch > train? And if so, is there a date when vulnerability fixes will no > longer be provided for that version? First, I think pretty much everybody agrees that, concerns about backward compatibility aside, the changes that were made were all positive. And, so, we have to balance backward compatibility with old versions of NSS with compatibility with websites on the internet and compatibility with web browsers. Now, there are no people actively contributing to NSS that are arguing in favor of absolute backward compatibility. AFAICT, there is no plan to work on 3.13.x any more. IMO, it is better to continue to focus development on the trunk. Even if somebody were to backport fixes to 3.13.x, then that work would also be under the MPL 2.0, for various reasons that, at this point, I think we cannot do anything about. For example, all the fixes in the new version are assumed to have been contributed under MPL 2.0. See the MPL 2.0 FAQ that contains the email address to send licensing questions to: http://www.mozilla.org/MPL/2.0/FAQ.html Also, I thought the goal was/is to remove the bypass mode code soon. Perhaps that decision will partly be based on how much it gets in the way of the TLS 1.2 implementation? I would be surprised if we required the TLS 1.2 implementation to support the bypass mode. By the way, I think it would be very useful to know what causes the difference in performance between the bypass mode and the non-bypass mode, to see if we can optimize the non-bypass mode so that everybody (including users of NSS outside of libssl) can get the performance improvements. Cheers, Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto