Ubuntu
nss package

Merge ~paelzer/ubuntu/+source/nss:bionic-merge-3.36.1-1 into ubuntu/+source/nss:debian/sid

  1. Git
  2. lp:~paelzer/ubuntu/+source/nss
  3. bionic-merge-3.36.1-1
  4. Merge into debian/sid
Proposed by Christian Ehrhardt 
Status: Merged
Merge reported by: Christian Ehrhardt 
Merged at revision: 9c8a37f941edaba6af7a7a18a541cbbabf8e911b
Proposed branch: ~paelzer/ubuntu/+source/nss:bionic-merge-3.36.1-1
Merge into: ubuntu/+source/nss:debian/sid
Diff against target: 213 lines (+124/-2)
4 files modified
debian/changelog (+111/-0)
debian/control (+3/-1)
debian/libnss3.links (+3/-0)
debian/rules (+7/-1)
Reviewer Review Type Date Requested Status
Andreas Hasenack Approve
Canonical Server packageset reviewers Pending
git-ubuntu developers Pending
Review via email: mp+345213@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hi,
this is a proposal for a merge early in the cosmic cycle.
Early because we intentionally change some defaults.

In Bionic we stepped back and reverted that - see bug 1746947
But since then we have resolved all dependent issues in bug 1747411 (with corosync that is about to be fixed the last one to go).

With the above done we can stop setting the old default DB format in 1746947 and behave like Debian does.

I pushed the usual tags to ease review:
 * [new tag] lp1747411/deconstruct/2%3.35-2ubuntu2 -> lp1747411/deconstruct/2%3.35-2ubuntu2
 * [new tag] lp1747411/new/debian -> lp1747411/new/debian
 * [new tag] lp1747411/old/ubuntu -> lp1747411/old/ubuntu
 * [new tag] lp1747411/logical/2%3.35-2ubuntu2 -> lp1747411/logical/2%3.35-2ubuntu2
 * [new tag] lp1747411/old/debian -> lp1747411/old/debian
 * [new tag] lp1747411/reconstruct/2%3.35-2ubuntu2 -> lp1747411/reconstruct/2%3.35-2ubuntu2

It still is a merge and not a sync for the following reasons:
1. a ppc64el FTBFS that I verified (still occurs for Ubuntu compiler defaults)
2. Debian not yet moving on bug 1744328

So we have overall to pass in order to be good:
1. sync of libqb (https://code.launchpad.net/~paelzer/ubuntu/+source/libqb/+git/libqb/+merge/345212)
2. sync of corosync (https://code.launchpad.net/~paelzer/ubuntu/+source/corosync/+git/corosync/+merge/345184)
3. merge of nss (this MP)

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

FYI - test builds in https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3253/+packages

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

+1, delta changes confirmed.

Just a question, though, but which does not impede this merge: shouldn't the ppc64el ftbfs fix only be applied if building for ppc64el? The way it is, it's applying to all architectures, as long as -O3 is used in the compiler flags. I understand this was already part of the delta.

Also, if you want, you could rebase on new/debian and move the -O3 fix to before merge-changelogs. That would tidy it up a bit and make it easy to get a good view of the current delta without changelog noise. Just a comment, again, not impeding the merge in any way.

review: Approve
~paelzer/ubuntu/+source/nss:bionic-merge-3.36.1-1 updated
86708c7... by Christian Ehrhardt 

- d/rules: extended the FTBFS to -O3 on ppc64el to only apply on ppc64el

Signed-off-by: Christian Ehrhardt <email address hidden>

9c8a37f... by Christian Ehrhardt 

changelog: - d/rules: extended the FTBFS to -O3 on ppc64el to only apply on ppc64el

Signed-off-by: Christian Ehrhardt <email address hidden>

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I've added both suggestions and pushed the new changes.

Looks like that now which seems to be the commonly used idomatic way to express AND there:
 15 ifneq (,$(filter -O3,$(CFLAGS)))
 16 ifneq (,$(filter $(DEB_HOST_ARCH), ppc64el))
 17 CFLAGS := $(CFLAGS) -Wno-error=maybe-uninitialized
 18 endif
 19 endif
I have the same arch filter in place in another package, so I'm rather convinced it is good.
For safety on the d/rules change I have a rebuild in the same ppa we used so far and it LGTM on build.

I force-pushed (for the re-arrange) the git updates to my branch.

That said this MP here is ready to be uploaded now once corosync is complete.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks, still +1

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

libdb is complete, now waiting for corosync to be complete as well to push this merge then.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index b5a0128..3936c93 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,20 @@
6+nss (2:3.36.1-1ubuntu1) cosmic; urgency=medium
7+
8+ * Merge with Debian unstable. Remaining changes:
9+ - d/libnss3.links: make freebl3 available as library (LP 1744328)
10+ - d/control: add dh-exec to Build-Depends
11+ - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
12+ - d/rules: when building with -O3 on ppc64el this FTBFS, build with
13+ -Wno-error=maybe-uninitialized to avoid that
14+ * Dropped changes:
15+ - revert switching to SQL default format (LP: 1746947) Dropping this
16+ adresses (LP: #1747411) and effectively means we now switch to the new
17+ default format after we ensured all depending packages are ready.
18+ * Added changes:
19+ - d/rules: extended the FTBFS to -O3 on ppc64el to only apply on ppc64el
20+
21+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 07 May 2018 17:08:46 +0200
22+
23 nss (2:3.36.1-1) unstable; urgency=medium
24
25 * New upstream release.
26@@ -11,6 +28,25 @@ nss (2:3.36-1) unstable; urgency=medium
27
28 -- Mike Hommey <glandium@debian.org> Sun, 08 Apr 2018 06:53:15 +0900
29
30+nss (2:3.35-2ubuntu2) bionic; urgency=medium
31+
32+ * d/p/lp1746947-revert-switch-default-to-sql.patch: the switch of the
33+ default is still causing too much issues in consumers of nss.
34+ So until resolved revert the switched default (LP: #1746947)
35+
36+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 05 Feb 2018 11:36:07 +0100
37+
38+nss (2:3.35-2ubuntu1) bionic; urgency=medium
39+
40+ * Merge with Debian unstable. Remaining changes:
41+ - When building with -O3, build with -Wno-error=maybe-uninitialized.
42+ * Added Changes:
43+ - d/libnss3.links: make freebl3 available as library (LP: #1744328)
44+ + d/control: add dh-exec to Build-Depends
45+ + d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
46+
47+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 30 Jan 2018 14:04:20 +0100
48+
49 nss (2:3.35-2) unstable; urgency=medium
50
51 * nss/lib/freebl/Makefile: Build Hacl_Poly1305_64.o on arm64.
52@@ -29,6 +65,13 @@ nss (2:3.34.1-1) unstable; urgency=medium
53
54 -- Mike Hommey <glandium@debian.org> Fri, 05 Jan 2018 20:15:40 +0900
55
56+nss (2:3.34-1ubuntu1) bionic; urgency=medium
57+
58+ * Merge with Debian; remaining changes:
59+ - When building with -O3, build with -Wno-error=maybe-uninitialized.
60+
61+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 14 Dec 2017 09:18:47 -0500
62+
63 nss (2:3.34-1) unstable; urgency=medium
64
65 * New upstream release:
66@@ -53,6 +96,28 @@ nss (2:3.32-2) unstable; urgency=medium
67
68 -- Mike Hommey <glandium@debian.org> Mon, 28 Aug 2017 07:39:59 +0900
69
70+nss (2:3.32-1ubuntu3) artful; urgency=medium
71+
72+ * SECURITY UPDATE: Use-after-free in TLS 1.2 generating handshake hashes
73+ - debian/patches/CVE-2017-7805.patch: Simplify handling of
74+ CertificateVerify in nss/lib/ssl/ssl3con.c, nss/lib/ssl/ssl3prot.h.
75+ - CVE-2017-7805
76+
77+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 29 Sep 2017 12:17:39 -0400
78+
79+nss (2:3.32-1ubuntu2) artful; urgency=medium
80+
81+ * Initialise curve variable in a test file, resolves FTBFS.
82+
83+ -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 24 Aug 2017 07:21:27 -0400
84+
85+nss (2:3.32-1ubuntu1) artful; urgency=medium
86+
87+ * Merge with Debian; remaining changes:
88+ - When building with -O3, build with -Wno-error=maybe-uninitialized.
89+
90+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 23 Aug 2017 13:09:20 -0400
91+
92 nss (2:3.32-1) unstable; urgency=medium
93
94 * New upstream release.
95@@ -112,6 +177,39 @@ nss (2:3.27.1-1) experimental; urgency=medium
96
97 -- Mike Hommey <glandium@debian.org> Sat, 19 Nov 2016 08:29:17 +0900
98
99+nss (2:3.28.4-0ubuntu2) artful; urgency=medium
100+
101+ * SECURITY UPDATE: DoS via empty SSLv2 messages
102+ - debian/patches/CVE-2017-7502.patch: reject broken v2 records in
103+ nss/lib/ssl/ssl3gthr.c, nss/lib/ssl/ssldef.c, nss/lib/ssl/sslimpl.h,
104+ added tests to nss/gtests/ssl_gtest/ssl_gather_unittest.cc,
105+ nss/gtests/ssl_gtest/ssl_gtest.gyp, nss/gtests/ssl_gtest/manifest.mn,
106+ nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc.
107+ - CVE-2017-7502
108+
109+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 16 Jun 2017 08:12:38 -0400
110+
111+nss (2:3.28.4-0ubuntu1) artful; urgency=medium
112+
113+ * Updated to upstream 3.28.4 to fix security issues and get a new CA
114+ certificate bundle.
115+ * SECURITY UPDATE: DES and Triple DES ciphers birthday attack
116+ - CVE-2016-2183
117+ * SECURITY UPDATE: out-of-bounds write in Base64 decoding
118+ - CVE-2017-5461
119+ * debian/patches/*.patch: refreshed for new version.
120+ * debian/control: bump libnspr4-dev to 4.13.1.
121+ * debian/libnss3.symbols: added new symbols.
122+
123+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 27 Apr 2017 13:13:44 -0400
124+
125+nss (2:3.26.2-1ubuntu1) zesty; urgency=medium
126+
127+ * Merge with Debian; remaining changes:
128+ - When building with -O3, build with -Wno-error=maybe-uninitialized.
129+
130+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 02 Dec 2016 08:48:03 -0500
131+
132 nss (2:3.26.2-1) unstable; urgency=medium
133
134 * New upstream release.
135@@ -125,6 +223,13 @@ nss (2:3.26-2) unstable; urgency=medium
136
137 -- Mike Hommey <glandium@debian.org> Wed, 21 Sep 2016 10:02:23 +0900
138
139+nss (2:3.26-1ubuntu1) yakkety; urgency=medium
140+
141+ * Merge with Debian; remaining changes:
142+ - When building with -O3, build with -Wno-error=maybe-uninitialized.
143+
144+ -- Matthias Klose <doko@ubuntu.com> Tue, 06 Sep 2016 14:39:56 +0200
145+
146 nss (2:3.26-1) unstable; urgency=medium
147
148 * New upstream release.
149@@ -139,6 +244,12 @@ nss (2:3.26-1) unstable; urgency=medium
150
151 -- Mike Hommey <glandium@debian.org> Tue, 16 Aug 2016 16:33:15 +0900
152
153+nss (2:3.25-1ubuntu1) yakkety; urgency=medium
154+
155+ * When building with -O3, build with -Wno-error=maybe-uninitialized.
156+
157+ -- Matthias Klose <doko@ubuntu.com> Thu, 04 Aug 2016 11:36:54 +0200
158+
159 nss (2:3.25-1) unstable; urgency=medium
160
161 * New upstream release.
162diff --git a/debian/control b/debian/control
163index cabbe72..820b70d 100644
164--- a/debian/control
165+++ b/debian/control
166@@ -1,9 +1,11 @@
167 Source: nss
168 Section: libs
169 Priority: optional
170-Maintainer: Maintainers of Mozilla-related packages <team+pkg-mozilla@tracker.debian.org>
171+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
172+XSBC-Original-Maintainer: Maintainers of Mozilla-related packages <team+pkg-mozilla@tracker.debian.org>
173 Uploaders: Mike Hommey <glandium@debian.org>
174 Build-Depends: debhelper (>= 9.20160403),
175+ dh-exec,
176 dpkg-dev (>= 1.17.14),
177 libnspr4-dev (>= 2:4.12),
178 zlib1g-dev,
179diff --git a/debian/libnss3.links b/debian/libnss3.links
180new file mode 100755
181index 0000000..717ff94
182--- /dev/null
183+++ b/debian/libnss3.links
184@@ -0,0 +1,3 @@
185+#!/usr/bin/dh-exec
186+usr/lib/${DEB_HOST_MULTIARCH}/nss/libfreebl3.so usr/lib/${DEB_HOST_MULTIARCH}/libfreebl3.so
187+usr/lib/${DEB_HOST_MULTIARCH}/nss/libfreeblpriv3.so usr/lib/${DEB_HOST_MULTIARCH}/libfreeblpriv3.so
188diff --git a/debian/rules b/debian/rules
189index d9ca1d2..81f049f 100755
190--- a/debian/rules
191+++ b/debian/rules
192@@ -12,6 +12,12 @@ $(call lazy,CFLAGS,$$(shell dpkg-buildflags --get CFLAGS))
193 $(call lazy,CPPFLAGS,$$(shell dpkg-buildflags --get CPPFLAGS))
194 $(call lazy,LDFLAGS,$$(shell dpkg-buildflags --get LDFLAGS))
195
196+ifneq (,$(filter -O3,$(CFLAGS)))
197+ifneq (,$(filter $(DEB_HOST_ARCH), ppc64el))
198+ CFLAGS := $(CFLAGS) -Wno-error=maybe-uninitialized
199+endif
200+endif
201+
202 PREPROCESS_FILES := $(wildcard debian/*.in)
203
204 $(PREPROCESS_FILES:.in=): %: %.in
205@@ -175,7 +181,7 @@ override_dh_strip:
206
207 ifeq ($(DEB_HOST_ARCH),$(DEB_BUILD_ARCH))
208 # Check FIPS mode correctly works
209- mkdir debian/tmp
210+ mkdir -p debian/tmp
211 LD_LIBRARY_PATH=debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH):debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss debian/libnss3-tools/usr/bin/modutil -create -dbdir debian/tmp < /dev/null
212 LD_LIBRARY_PATH=debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH):debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss debian/libnss3-tools/usr/bin/modutil -fips true -dbdir debian/tmp < /dev/null
213 endif

Subscribers

People subscribed via source and target branches