Bug 1381400
Description
Upstream Release Monitoring
2016-10-04 00:22:26 UTC
Patching or scratch build for nss-3.27.0 failed. Created attachment 1207038 [details] Rebase-helper rebase-helper-debug.log log file. See for details and report the eventual error to rebase-helper https://github.com/phracek/rebase-helper/issues. Patches were not touched. All were applied properly There's only one change in upstream NSS: - disable compilation of TLS 1.3 (draft) code by default. Daiki already made the same change to the packaging configuration that we use for the NSS 3.27 packages, so an update to NSS 3.27.1 seems unnecessary. Latest upstream release: 3.27.2 Current version/release in rawhide: 3.27.0-5.fc26 URL: http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/2503/ Patching or scratch build for nss-3.27.0 failed. Created attachment 1226438 [details] Rebase-helper rebase-helper-debug.log log file. See for details and report the eventual error to rebase-helper https://github.com/phracek/rebase-helper/issues. Patches were not touched. All were applied properly NSS 3.27.2 contains a single correctness fix. Firefox 51 depends on the correctness fix that was fixed in NSS 3.27.2 Firefox 51 is currently scheduled to be released 2017-01-24 We must do one of the following: - ship NSS 3.27.2 in Fedora prior to 2017-01-24 or - ship NSS 3.28 in Fedora prior to 2017-01-24 I expect that NSS 3.28 will be released prior to that date, so it might be unnecessary to ship NSS 3.27.2 Latest upstream release: 3.28 Current version/release in rawhide: 3.27.2-2.fc26 URL: http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/2503/ Patching or scratch build for nss-3.27.2 failed. Created attachment 1234750 [details] Rebase-helper rebase-helper-debug.log log file. See for details and report the eventual error to rebase-helper https://github.com/phracek/rebase-helper/issues. Patches were not touched. All were applied properly Latest upstream release: 3.28.1 Current version/release in rawhide: 3.27.2-2.fc26 URL: http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/2503/ Patching or scratch build for nss-3.27.2 failed. Created attachment 1237456 [details] Rebase-helper rebase-helper-debug.log log file. See for details and report the eventual error to rebase-helper https://github.com/phracek/rebase-helper/issues. Patches were not touched. All were applied properly ca-certificates-2017.2.11-1.0.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-9784ee67f2 ca-certificates-2017.2.11-1.0.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-0b50f61ab2 kengert's nss-3.28.1-2.fc26 completed http://koji.fedoraproject.org/koji/buildinfo?buildID=831602 ca-certificates-2017.2.11-1.0.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-0b50f61ab2 ca-certificates-2017.2.11-1.0.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-9784ee67f2 ueno's nss-3.28.1-3.fc26 completed http://koji.fedoraproject.org/koji/buildinfo?buildID=833605 nss-3.28.1-1.1.fc25 nss-softokn-3.28.1-1.0.fc25 nss-util-3.28.1-1.0.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-e42b513012 nss-3.28.1-1.1.fc24 nss-softokn-3.28.1-1.0.fc24 nss-util-3.28.1-1.0.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-bbb320ba18 Daiki, thanks a lot for providing the update packages. I found a problem, which I believe is enough to justify revoking the builds. Firefox 50 doesn't work with NSS 3.28.1, because it introduces a curve, that is smaller than a check in Firefox 50 allows. In order to make NSS 3.28.1 usable, the patch from the following upstream bug is required: https://bugzilla.mozilla.org/show_bug.cgi?id=1290037 I suggest to add a "conflicts" statement to nss.spec that makes it incompatible with versions of firefox that don't have the fix. Firefox 51 will already contain the required fix. But Firefox 51 won't go public before Jan 24. It would be nice to be able to start testing NSS 3.28.1 sooner than that. I'll file a bug to ask our firefox maintainers if they want to respin firefox for us. ca-certificates-2017.2.11-1.0.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. ca-certificates-2017.2.11-1.0.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. I see that Martin created builds for f24 + f25 + rawhide-f26. All builds that contain the required patch use n-v-r: firefox-50.1.0-3 I suggest to created updates NSS 3.28.1 packages that contain the following statement in the spec file: Conflicts: firefox < 50.1.0-3 That's the correct syntax, right? I think adding it to the main nss.rpm is sufficient. I should mention that the builds aren't finished yet, but only the slow armv7hl arch is pending. If we want to be certain about the Conflicts: statement, we might want to wait another 1-2 hours, to confirm the builds succeeded: https://koji.fedoraproject.org/koji/taskinfo?taskID=17302211 https://koji.fedoraproject.org/koji/taskinfo?taskID=17302213 https://koji.fedoraproject.org/koji/taskinfo?taskID=17302134 Another thought: Should we combine the firefox + nss builds in a combined bodhi update, because the updated NSS builds must not be pushed prior to that firefox build being available as an update, too? (In reply to Kai Engert (:kaie) from comment #31) > Another thought: > > Should we combine the firefox + nss builds in a combined bodhi update, > because the updated NSS builds must not be pushed prior to that firefox > build being available as an update, too? Good idea. Feel free to file such update or I can do that if you wish. ueno's nss-3.28.1-4.fc26 completed http://koji.fedoraproject.org/koji/buildinfo?buildID=834367 (In reply to Martin Stransky from comment #32) > Good idea. Feel free to file such update or I can do that if you wish. To submit a combined update for both packages, it's necessary to have commit access for both packages. I've just requested commit access for firefox, could you please grant it to me? (If you want, you can revoke commit access after I'm done.) (In reply to Kai Engert (:kaie) from comment #34) > (In reply to Martin Stransky from comment #32) > > Good idea. Feel free to file such update or I can do that if you wish. > > To submit a combined update for both packages, it's necessary to have commit > access for both packages. > > I've just requested commit access for firefox, could you please grant it to > me? Done. I expected you have such rights by default. firefox-50.1.0-3.fc25 nss-3.28.1-1.2.fc25 nss-softokn-3.28.1-1.0.fc25 nss-util-3.28.1-1.0.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-e42b513012 firefox-50.1.0-3.fc24 nss-3.28.1-1.2.fc24 nss-softokn-3.28.1-1.0.fc24 nss-util-3.28.1-1.0.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-bbb320ba18 (In reply to Martin Stransky from comment #35) > Done. I expected you have such rights by default. Thanks! The combined updates have been submitted: https://bodhi.fedoraproject.org/updates/FEDORA-2017-e42b513012 https://bodhi.fedoraproject.org/updates/FEDORA-2017-bbb320ba18 Great, Thanks! firefox-50.1.0-3.fc24, nss-3.28.1-1.2.fc24, nss-softokn-3.28.1-1.0.fc24, nss-util-3.28.1-1.0.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-bbb320ba18 firefox-50.1.0-3.fc25, nss-3.28.1-1.2.fc25, nss-softokn-3.28.1-1.0.fc25, nss-util-3.28.1-1.0.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-e42b513012 I've unpushed the updates, because it broke Thunderbird, see bug 1414929. Thunderbird will require the same patch as Firefox. Everyone, can you please help to brainstorm, are there any additional applications on Fedora, that use the relevant Mozilla code netwerk/protocol/http/Http2Session.cpp ? - firefox - thunderbird - seamonkey - chatzilla - xulrunner Is there anything else? We need to check the status of all the above applications, whether they currently contain the problematic code, or not. Another package: - esc The check in Mozilla code that is causing the issue has been added in Mozilla 32: https://hg.mozilla.org/mozilla-central/rev/cdddbe2d85b4 We have Xulrunner version 44, which is affected and needs a respin. We have SeaMonkey version 49, which is affected and needs a respin. I believe chatzilla and esc use xulrunner, and don't need independent work. I'm not sure what we should do regarding "Conflicts:". Do we need to respin NSS with Conflicts for all those applications (xulrunner + seamonkey + thunderbird) or is providing the updated application builds sufficient? Thoughts? I'll rebuild thunderbird and xulrunner. A problem has been found with our attempt to enable TLS 1.3 in bug 1415140. We found a server that enables TLS 1.3 (probably by querying the protocols available), but fails to configure other details that are necessary to use TLS 1.3 I suggest that, for now, we postpone further testing with TLS 1.3 enabled in NSS, to give freeipa time to address that issue. I suggest to respin NSS with TLS 1.3 disabled, to enable the delivery of Firefox 51 on January 24. (Firefox packagers are already waiting for us to make NSS 3.28.1 available, so they can build.) firefox-50.1.0-3.fc25 icecat-45.5.1-6.fc25 nss-3.28.1-1.3.fc25 nss-softokn-3.28.1-1.0.fc25 nss-util-3.28.1-1.0.fc25 seamonkey-2.46-3.fc25 thunderbird-45.6.0-5.fc25 xulrunner-44.0-9.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-e42b513012 firefox-50.1.0-3.fc24 icecat-45.5.1-6.fc24 nss-3.28.1-1.3.fc24 nss-softokn-3.28.1-1.0.fc24 nss-util-3.28.1-1.0.fc24 seamonkey-2.46-3.fc24 thunderbird-45.6.0-5.fc24 xulrunner-44.0-9.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-bbb320ba18 firefox-50.1.0-3.fc24, icecat-45.5.1-6.fc24, nss-3.28.1-1.3.fc24, nss-softokn-3.28.1-1.0.fc24, nss-util-3.28.1-1.0.fc24, seamonkey-2.46-3.fc24, thunderbird-45.6.0-5.fc24, xulrunner-44.0-9.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-bbb320ba18 firefox-50.1.0-3.fc25, icecat-45.5.1-6.fc25, nss-3.28.1-1.3.fc25, nss-softokn-3.28.1-1.0.fc25, nss-util-3.28.1-1.0.fc25, seamonkey-2.46-3.fc25, thunderbird-45.6.0-5.fc25, xulrunner-44.0-9.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-e42b513012 firefox-50.1.0-3.fc25, icecat-45.5.1-6.fc25, nss-3.28.1-1.3.fc25, nss-softokn-3.28.1-1.0.fc25, nss-util-3.28.1-1.0.fc25, seamonkey-2.46-3.fc25, thunderbird-45.6.0-5.fc25, xulrunner-44.0-9.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. firefox-50.1.0-3.fc24, icecat-45.5.1-6.fc24, nss-3.28.1-1.3.fc24, nss-softokn-3.28.1-1.0.fc24, nss-util-3.28.1-1.0.fc24, seamonkey-2.46-3.fc24, thunderbird-45.6.0-5.fc24, xulrunner-44.0-9.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. I guess we can close this now. |