Because of changes to the PKCS #11 spec in PKCS #11 v3.0, NSS needs to change the definition of the CK_GCM_PARAMS structure in a source incompatible way. Upstream made this change in NSS 3.52. This change does not affect the ABI. Old programs compiled with older versions of NSS will still work. Only packages that use NSS and directly call AES GCM are affected.
Metadata Update from @bcotton:
- Issue tagged with: F34
@rrelyea would it be possible for you to analyse which packages would be affected?
I am not subject matter expert, but given that this is submitted very early (hey, this is first change for F34!), I am +1 so that we can make everything work fine or revert long before the release.
Note that you will need to wait for branching to happen before pushing the change to the git.
If you have a command I can type that would give all the packages that require nss-devel to build, then I could do a grep for CK_GCM_PARAMS in the source trees for those packages. Only packages with a hit could possibly require patching.
Any NSS changes has already been checked in. The Upstream default is to map CK_GCM_PARAMS to the new structure. The current rawhide builds, f32 builds and f31 builds have a patch the reverses this default. The spec conditionally includes the patch if the fedora build is < 34, so all that is needed after the branch is a rebuild. Also packages can patch their builds in rawhide and f31 or f32. All the suggested fixes work independently of whether or not the default definition patch is included or not.
+1, I suppose.
There are some typos in the proposal you could fix, though :)
@rrelyea Here's the command and the list for Rawhide:
➤ dnf repoquery --releasever=rawhide --disablerepo=\* --enablerepo=fedora-\*source --whatrequires nss-devel
Last metadata expiration check: 0:00:10 ago on Mon 15 Jun 2020 11:28:57 AM EDT.
1) Can we get a list of affected packages? Specifically, I am concerned about any high profile packages affected.
2) The benefit to Fedora is listed, but are there any risks to not upgrading to this version of NSS?
* AGREED: FESCo asks rrelyea to rephrase the request and add details
about the expected impact, particularly on rebuilds and revisit in a
week (+8, 0, -0) (contyk, 15:34:38)
Metadata Update from @ignatenkobrain:
- Issue assigned to rrelyea
@rrelyea Any updates here?
to comment on this ticket.