Update TB to RNP v0.15.1
Categories
(MailNews Core :: Security: OpenPGP, enhancement)
Tracking
(thunderbird_esr78+ affected, thunderbird90 fixed)
People
(Reporter: KaiE, Assigned: KaiE)
References
Details
Attachments
(3 files)
(deleted),
text/x-phabricator-request
|
wsmwk
:
approval-comm-beta+
|
Details |
(deleted),
text/x-phabricator-request
|
wsmwk
:
approval-comm-beta+
|
Details |
(deleted),
text/x-phabricator-request
|
wsmwk
:
approval-comm-beta+
|
Details |
We should upgrade comm-central (the TB development branch) to RNP v0.15.1 which was released yesterday.
Nickolay:
-
which Botan version do you recommend to use with v0.15.1?
-
Thunderbird stable 78 still uses RNP v0.14.0 and Botan 2.13.0
-
do you have a list of major changes since v0.14.0 ?
-
are there areas in which you see risk for regressions?
Assignee | ||
Comment 1•3 years ago
|
||
Updated•3 years ago
|
Assignee | ||
Comment 2•3 years ago
|
||
Depends on D116426
Assignee | ||
Updated•3 years ago
|
Comment 3•3 years ago
|
||
(In reply to Kai Engert (:KaiE:) from comment #0)
- which Botan version do you recommend to use with v0.15.1?
In CI we run 2.17.3 now and didn't see any problems yet. According to Botan's changelog it is worth updating to 2.17.3 as there were some ECDSA/DH/CVE fixes.
- do you have a list of major changes since v0.14.0 ?
We have CHANGELOG.md in the release branch (and in mater branch now as well), all non-internal changes are described there.
Since v14.0 there were mostly improvements/fixes of bugs, including ones reported via Bugzilla. I'll update all corresponding tickets with 'fixed in 0.15.1' message.
- are there areas in which you see risk for regressions?
I would not call that regression, but there could be changes in key expiration times reporting for keys with multiple userids/complicated structure, as now direct-key/primary userid signatures have higher priority for key expiration check. Previously we checked the latest valid self-signature. Combined with the issue https://github.com/rnpgp/rnp/issues/1497 in some cases (say, secondary userid sig was fresher then primary, and user changed key expiration via Thunderbird) now RNP may return another key expiration value. So user will need to extend key expiration again.
Also your patch for disabling weak hashes would need some minor changes.
This all I can remember for now, but if find out something else - will update the ticket.
Comment 4•3 years ago
|
||
Pushed by kaie@kuix.de:
https://hg.mozilla.org/comm-central/rev/7fdeef6a6754
Import RNP v0.15.1. r=rjl
https://hg.mozilla.org/comm-central/rev/c9c87464f4b5
Adjust build and patch for v0.15.1. r=rjl
https://hg.mozilla.org/comm-central/rev/afe18a0460c5
Update README.rnp with recent changes to the build. r=kaie
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Comment 6•3 years ago
|
||
Comment on attachment 9224367 [details]
Bug 1713664 - Import RNP v0.15.1. r=rjl
We should pick up the latest fixes in the RNP OpenPGP library, and start testing on beta.
[Approval Request Comment]
Regression caused by (bug #): no
User impact if declined:
Testing completed (on c-c, etc.): on c-c
Risk to taking this patch (and alternatives if risky): low
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Updated•3 years ago
|
Updated•3 years ago
|
Comment 7•3 years ago
|
||
Comment on attachment 9224367 [details]
Bug 1713664 - Import RNP v0.15.1. r=rjl
[Triage Comment]
Approved for beta
Comment 8•3 years ago
|
||
Comment on attachment 9224561 [details]
Bug 1713664 - Update README.rnp with recent changes to the build. r=kaie
[Triage Comment]
Approved for beta
Comment 9•3 years ago
|
||
Comment on attachment 9224368 [details]
Bug 1713664 - Adjust build and patch for v0.15.1. r=rjl
[Triage Comment]
Approved for beta
Comment 10•3 years ago
|
||
bugherder uplift |
Updated•3 years ago
|
Updated•3 years ago
|
Description
•