I'm sending this explanation because I've seen several people being
confused, and I anticipate the confusion might continue for a while.
Since nobody else has done so yet, I'm writing this clarification in the
hope it is useful to avoid future confusion.
As of today, there are development branches of Firefox that require
a new API, a function named:
SEC_PKCS7VerifyDetachedSignatureAtTime
Those Firefox development branches contain a modified version of NSS,
which adds that function as a new API.
This means, attempts to build those development branches of Firefox
against a systemwide installed NSS will currently fail, because no
released NSS version contains the required API yet.
Fortunately, by now, agreement has been reached how to clean up this
situation: The next version of NSS (3.15) will contain the new API that
Mozilla has already added to their copies of earlier version of NSS.
It will be another couple of weeks until NSS 3.15 gets released, it
might be realistic to expect it around end of April.
Which Firefox branches are affected?
Firefox 23 = current mozilla-central
- currently still using NSS 3.14.3, but with a local patch applied
- expected to upgrade soon to NSS 3.15 beta (tracked in bug 858231)
- in other words, hopefully it will be cleaned up very soon
Firefox 22 = current mozilla-aurora
- currently still using NSS 3.14.3, but with a local patch applied
- I understand that Mozilla engineers are still undecided
how to clean up
- options are: either same as Firefox 23 or same as Firefox 21
Firefox 21 = current mozilla-beta
- earlier snapshots of Firefox 21 had used this function
- in the meantime this has been cleaned up in bug 853776
by removing the Firefox application code that calls the function,
thereby making the new NSS API unnecessary.
Firefox Boot2Gecko B2G 18 branch
- uses a fork of NSS 3.14.3 with the new API added as a patch
What does this mean for building Firefox?
If you want to build a development snapshot of Firefox against a
systemwide installed NSS, and you want to build Firefox 22 aurora at
this time, you have the following choices:
- don't build Firefox 22 aurora until Mozilla cleaned up the situation.
If you are waiting for that to happen, you could remind Mozilla
to either apply bug 853776 to aurora 22
or to extend bug 858231 to cover aurora 22, too.
- if you are testing locally and you don't need to package
the current development snapshot of Firefox/NSS,
until the situation gets cleaned up by Mozilla,
you could temporary build without --with-system-nss
- if you must build Firefox 22 aurora right now, and you must have a
compatible system NSS right now, then
- either use the forked version of NSS that Mozilla has used,
by applying the patch that you can find in the Firefox source
in directory mozilla/security/patches,
and install your modified version as system NSS
- or use NSS 3.15 "beta 1"
Let's hope this kind of situation will remain an exception and can be
avoided in the future.
Regards
Kai
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
