NSS 3.13 is not yet released, but once it is, we want to upgrade mozilla-central to use it.

Wan-Teh, do you agree to upgrade mozilla-central to NSS_3_13_BETA1 ? (I plan do so after getting a successful tryserver build with this tag.)

Comment on attachment 554163 [details] [diff] [review] NSS_3_13_BETA1 r=wtc. I agree.

Beta1 tryserver build looks good to me. http://tbpl.allizom.org/?tree=Try&usebuildbot=1&rev=a1e17d3d08e8 I checked the Beta1 in to mozilla-inbound. http://hg.mozilla.org/integration/mozilla-inbound/rev/33000157292b

This will stay open until we have checked in the final release of 3.13

We have to take this in mozilla-aurora because we committed 3.13 BETA 1 before the merge. If we decide we don't want to activate the safeguards against the BEAST attack in mozilla-aurora because of the compatibility risk, then I will write a one-line patch that uses the SSL_OptionSet API to disable it. But, I would prefer we try to avoid doing that if possible. There is some tension between the known compatibility issues associated with the workaround for the TLS BEAST attack included in 3.13 and other browsers' schedules for releasing a workaround. Details of other browser makers' plans cannot be posted here, but I believe that it will be important for Firefox 8 or Firefox 9 to take up this release. I will schedule a private meeting to discuss the compatibility impact with release-drivers.

Here is the tryserver run after running: python client.py update_nss NSS_3_13_RC0 hg addremove Here is the tryserver run for NSS_3_13_RC0: https://tbpl.mozilla.org/?tree=Try&rev=ef941bca98fd Once it completes, I will check it into mozilla-central.

Wan-Teh, I believe I am doing the import correctly, but could you please double-check? I issued the commands: python client.py update_nss NSS_3_13_RC0 hg addremove I verified that coreconf.dep was already modified The tryserver run above looks as decent as a tryserver run gets (not very decent, but not the fault of this change.)

Comment on attachment 565639 [details] [diff] [review] Upgrade to NSS 3.13.0 r=wtc.

Comment on attachment 565639 [details] [diff] [review] Upgrade to NSS 3.13.0 https://hg.mozilla.org/mozilla-central/rev/8f011395145e

Because of regression bug 693228 introduced in NSS 3.13, we MUST update to the next NSS release (NSS 3.13.1) for mozilla-central. Because we landed a pre-release of NSS 3.13 before mozilla-aurora branched, we MUST that same NSS release (NSS 3.13.1) on mozilla-aurora.

I don't understand why we need both this bug and the NSS bug 695833. Anyway, I have created the NSS_3_13_1_BETA1 CVS tag and will push it to mozilla-inbound when the tree opens.

---------------------------------[ Triage Comment ]--------------------------------- We definitely want to track this for 9aurora as we have the beta version there and should update to final. What do we need to do for Firefox 8? I doubt we'll be taking this version into the tree as it is so close to release and Oracle has released an update for Java mitigating the BEAST attack (I think). We'll track this for Firefox 8 as well until we get a definitive answer so this doesn't get lost.

Why is target milestone Mozilla9? Atm this is only in Mozilla10.

Beta1 made mozilla9 in comment 4.

Kai, this patch is for mozilla-aurora only. It upgrades NSS to 3.13.1 RTM. I made the following changes: * python client.py update_nss NSS_3_13_1_RTM * verified security/coreconf/coreconf.dep was modified * updated configure.in to require system NSS 3.13.1

Kai, this patch updates mozilla-central to NSS 3.13.1 RTM. I made the following changes: * python client.py update_nss NSS_3_13_1_RTM * updated security/coreconf/coreconf.dep to remove a blank line, to cause NSS to fully rebuild * updated configure.in to require NSS 3.13.1 or later. I am not sure about the change to security/coreconf/coreconf.dep. Is that the right thing to do here?

Yes, to update security/coreconf/coreconf.dep, just add or delete a blank line at the end of the file.

Comment on attachment 570615 [details] [diff] [review] Update mozilla-central to NSS 3.13.1 r=wtc. This patch is correct.

Comment on attachment 570614 [details] [diff] [review] [for mozilla-aurora only] Bug 669061: Update mozilla-aurora to NSS 3.13.1 RTM Review of attachment 570614 [details] [diff] [review]: ----------------------------------------------------------------- I think we should apply this patch before we apply the patch for bug 698753. Please r+ and a+ for aurora.

Comment on attachment 570614 [details] [diff] [review] [for mozilla-aurora only] Bug 669061: Update mozilla-aurora to NSS 3.13.1 RTM based on: - the description in comment 17 - the change to configure.in in the attached patch: r=kaie Suggestion: I think it's unnecessary to attach such large diffs between release snapshots. It's impossible to review them. For the next time, I recommend to simply attach your own changes (such as your change to configure.in). If you want a formal review on "upgrade NSS", then you could do what I usually did in the recent past. Create a small text file that contains the commands to upgrade NSS, i.e. "python update_nss TAG", attach it and ask for review on that.

https://hg.mozilla.org/mozilla-central/rev/07f01c6bfaa9 please, resolve the bug if this was the final version, RTM sounds like it was.

Comment on attachment 570614 [details] [diff] [review] [for mozilla-aurora only] Bug 669061: Update mozilla-aurora to NSS 3.13.1 RTM Review of attachment 570614 [details] [diff] [review]: ----------------------------------------------------------------- r=wtc. The procedure in comment 17 is correct. The changes to configure.in, security/nss/TAG-INFO, and security/coreconf/coreconf.dep are correct.

I agree this can be resolved, per comment 22 / 24, because mozilla-central already uses NSS 3.13.1 RTM. I'll land this one and 698753 into aurora now.

Is there anything specific QA can check to verify this fix (other than version info in source)?