1099619 – Rebase nss in RHEL 6.6 to NSS 3.16.1 (anticipated minimum version for FF 31)

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1099619 - Rebase nss in RHEL 6.6 to NSS 3.16.1 (anticipated minimum version for FF 31)

Summary: Rebase nss in RHEL 6.6 to NSS 3.16.1 (anticipated minimum version for FF 31)

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	nss
Sub Component:
Version:	6.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Elio Maldonado Batiz
QA Contact:	Alicja Kario
Docs Contact:
URL:
Whiteboard:
Depends On:	1035355 1099618
Blocks:	1112136 1113862
TreeView+	depends on / blocked

Reported:	2014-05-20 18:31 UTC by Kai Engert (:kaie) (inactive account)
Modified:	2014-10-14 05:03 UTC (History)
CC List:	10 users (show)
Fixed In Version:	nss-3.16.1-13.el6, nss-util-3.16.1-1.el6
Doc Type:	Rebase: Bug Fixes and Enhancements
Doc Text:	Rebase package(s) to version: 3.16.1 The nss, nss-util, and nspr packages have been upgraded to upstream version 3.16.1 and 4.10.6 respectively, which provide a number of bug fixes and enhancements over the previous versions. (BZ#1099618, BZ#1099619)
Clone Of:
Clones:	1112136 (view as bug list)
Environment:
Last Closed:	2014-10-14 05:03:57 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
changes to rebase nss-util to nss-3.16.1 (9.52 KB, patch) 2014-05-22 23:17 UTC, Elio Maldonado Batiz	rrelyea: review+	Details \| Diff
all changes to rebase nss to nss-3.16.1 (44.96 KB, patch) 2014-05-22 23:23 UTC, Elio Maldonado Batiz	rrelyea: review+	Details \| Diff
spec file changes for rebase to 3.16.1 (3.74 KB, patch) 2014-05-23 15:50 UTC, Elio Maldonado Batiz	rrelyea: review+	Details \| Diff
Additional changes needed due the rebase (4.32 KB, patch) 2014-06-07 22:44 UTC, Elio Maldonado Batiz	rrelyea: review-	Details \| Diff
backport upstream fix applied for 3.16.2 (2.64 KB, patch) 2014-06-30 22:00 UTC, Elio Maldonado Batiz	rrelyea: review+	Details \| Diff
fix regresssion caused by the previous fix (2.61 KB, patch) 2014-08-20 16:31 UTC, Elio Maldonado Batiz	no flags	Details \| Diff
Revised race condition patch that doesn't cause libpem deallock (5.08 KB, patch) 2014-08-20 16:48 UTC, Elio Maldonado Batiz	rrelyea: review+	Details \| Diff
Changes to the spec file in patch format (811 bytes, patch) 2014-08-20 16:49 UTC, Elio Maldonado Batiz	rrelyea: review+	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2014:1378	0	normal	SHIPPED_LIVE	nss bugfix and enhancement update	2014-10-14 01:06:09 UTC

Description Kai Engert (:kaie) (inactive account) 2014-05-20 18:31:48 UTC

RHEL 6.6 should ship with NSS 3.16.1, which is the minimum version currently anticipated to be required by Firefox 31.

Comment 1 Elio Maldonado Batiz 2014-05-22 23:17:12 UTC

Created attachment 898508 [details]
changes to rebase nss-util to nss-3.16.1

Comment 2 Elio Maldonado Batiz 2014-05-22 23:23:06 UTC

Created attachment 898509 [details]
all changes to rebase nss to nss-3.16.1

Easy to apply but it's bit hard on the eyes. I can split off the nss.spec file and and other changes out for ease of review.

Comment 3 Elio Maldonado Batiz 2014-05-22 23:24:10 UTC

Temporarily working on a private shared branch. If interested, you can get the nss-util and nss sources with:
git clone --branch private-emaldona-bz1099619 nss-util
git clone --branch private-emaldona-bz1099619 nss

Comment 4 Elio Maldonado Batiz 2014-05-23 15:50:03 UTC

Created attachment 898716 [details]
spec file changes for rebase to 3.16.1

Comment 5 Elio Maldonado Batiz 2014-05-23 15:54:11 UTC

Comment on attachment 898509 [details]
all changes to rebase nss to nss-3.16.1

or completeness sake all changes, including removal of patches and adjustements to patches which are hard to inspect. I split off the spec file portion in the other attachment.

Comment 6 Bob Relyea 2014-05-23 22:51:27 UTC

Comment on attachment 898508 [details]
changes to rebase nss-util to nss-3.16.1

r+ NOTE: I did not personally check that the rebase contained the patches you removed.

Comment 7 Bob Relyea 2014-05-23 22:55:24 UTC

Comment on attachment 898509 [details]
all changes to rebase nss to nss-3.16.1

r+ rrelyea

Comment 11 Elio Maldonado Batiz 2014-05-27 20:17:47 UTC

(In reply to Bob Relyea from comment #6)
> Comment on attachment 898508 [details]
> changes to rebase nss-util to nss-3.16.1
> 
> r+ NOTE: I did not personally check that the rebase contained the patches
> you removed.

Thank yuo Bob for the prompt review. The rebase does indeed renders those patches obsolete. Here is the rundown.

Deleted patches:
#	deleted:    add-missing-option-descriptions.patch
Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=932001 - RESOLVED FIXED
  
#	deleted:    disable-ocsp-stapling-tests.patch
Because (Remove OCSP stapling tests that rely on external servers)
 https://bugzilla.mozilla.org/show_bug.cgi?id=936778 - RESOLVES FIXED (3.15.4) 

#	deleted:    dont-disable-internal-module.patch
 https://bugzilla.mozilla.org/show_bug.cgi?id=977673 

#	deleted:    nss-ecc-list-3.15.3.patch
#	deleted:    nss-util-ecc-list-3.15.3.patch
Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=977673 - RESOLVED FIXED

Let me highlight something which is very easy to miss in a review.
# Disable hw gcm on RHEL5-based build environments where older OS lacks support
Patch63: disable_hw_gcm.patch
...
#%patch63 -p0 -b .hw_comp

I temporarily disabled as it no loger applies and needs some thought as I had a discussion with Wan-Teh upstream were he had different ideas. I can't find the bug now which was probably resolved as duplicate of another one. There were some changes coming from Julien Pierre on https://bugzilla.mozilla.org/show_bug.cgi?id=979132 as he ran into similar problems as we did. I need to discuss that a bit with you once I gather all the needed info. Stay tuned.

Comment 18 Elio Maldonado Batiz 2014-06-07 19:07:27 UTC

(In reply to Elio Maldonado Batiz from comment #11)

> Let me highlight something which is very easy to miss in a review.
> # Disable hw gcm on RHEL5-based build environments where older OS lacks
> support
> Patch63: disable_hw_gcm.patch
> ...
> #%patch63 -p0 -b .hw_comp
> 
> I temporarily disabled as it no loger applies and needs some thought as I
> had a discussion with Wan-Teh upstream were he had different ideas. I can't
> find the bug now which was probably resolved as duplicate of another one.
> There were some changes coming from Julien Pierre on
> https://bugzilla.mozilla.org/show_bug.cgi?id=979132 as he ran into similar
> problems as we did. I need to discuss that a bit with you once I gather all
> the needed info. Stay tuned.

Bob, I finally found the information I was looking for. Wan-Teh's comments are in https://bugzilla.mozilla.org/show_bug.cgi?id=941690#c1 where he states that the patch, which as I stated above cannot be applied after the rebase to 3.16.1, is not needed and using NSS_DISABLE_HW_AES=1 should be sufficient.

Comment 19 Elio Maldonado Batiz 2014-06-07 22:44:30 UTC

Created attachment 903189 [details]
Additional changes needed due the rebase

Remove disable_hw_gcm.patch and use NSS_DISABLE_HW_AES=1 per upstream recommendation by wtc. See Comment 18.

Comment 20 Elio Maldonado Batiz 2014-06-09 15:07:30 UTC

Additional informatiom, The NSS_DISABLE_HW_AES=1 part is not needed. The brew builds work fine without it. I confirmed with release engineering that they are still using RHEL-5 based hosts for the builders.

Comment 21 Bob Relyea 2014-06-09 21:34:00 UTC

Comment on attachment 903189 [details]
Additional changes needed due the rebase

HW_AES and HW_GCM are different issues. HW_AES works fine on RHEL 5.

Comment 22 Bob Relyea 2014-06-09 21:36:05 UTC

IIRC, the hw_gcm patch was applied upstream already. In the meantime someone updated upstream so that it didn't need it.

These are all irrelevant because the code in question is in softoken, which should not be rebased in this bug (softoken needs to be 3.14.x for FIPS reasons, we are not validating 3.16.x).

bob

Comment 23 Bob Relyea 2014-06-09 22:32:15 UTC

OK, this is RHEL-6 not RHEL-5. The patch appears to have been added simply to deal with running local tests inside nss and not in any code that actually ships.
Upstream has updated softoken so it's not necessary to explicitly turn it off (though we should get back to wtc and suggest that we still want to be able to do it). 

Turning off AES_HW is fine because it's just the NSS tests, not the softoken tests (which run separately).

The confusion seems to come because we still have a full softoken in the tree even though we don't ship with it.

bob

Comment 26 Elio Maldonado Batiz 2014-06-30 22:00:50 UTC

Created attachment 913569 [details]
backport upstream fix applied for 3.16.2

upstream bug is https://bugzilla.mozilla.org/show_bug.cgi?id=963150 and its fix is required by Firefox 31.

Comment 30 Elio Maldonado Batiz 2014-08-20 16:31:12 UTC

Created attachment 928882 [details]
fix regresssion caused by the previous fix

This supplementary patch by Bob Relyea fixes the regression introduced by the fix for the race condition. I will attach next a revised patch that merges the two into one and is more suitable for submission upstream.

Comment 31 Elio Maldonado Batiz 2014-08-20 16:48:19 UTC

Created attachment 928886 [details]
Revised race condition patch that doesn't cause libpem deallock

Comment 32 Elio Maldonado Batiz 2014-08-20 16:49:25 UTC

Created attachment 928887 [details]
Changes to the spec file in patch format

Comment 33 Bob Relyea 2014-08-20 17:06:56 UTC

Comment on attachment 928886 [details]
Revised race condition patch that doesn't cause libpem deallock

r+ rrelyea

Comment 34 Bob Relyea 2014-08-20 17:07:21 UTC

Comment on attachment 928887 [details]
Changes to the spec file in patch format

r+ rrelyea

Comment 37 errata-xmlrpc 2014-10-14 05:03:57 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1378.html

Note You need to log in before you can comment on or make changes to this bug.