list of new certs added?
Gen Kanai
I'm wondering if there is a list (on the wiki?) of the new certs that
have been added to Firefox.
As we're now in rapid release mode, there's more opportunities for NSS
to be updated and for certs to ship with each new release.
It would be great to have a list (with dates?) of the certs released and
the versions (of Firefox/of NSS).
Thank you,
Gen
--
Gen Kanai
Kathleen Wilson
Programmer types can find which certs were included in each version of
NSS by going to
http://mxr.mozilla.org/security/source/security/nss/lib/ckfw/builtins/certdata.txt
and using CVS Log and Diff.
In http://www.mozilla.org/projects/security/certs/included/ there is an
"Inclusion Date" field which I have not been using. Perhaps I could
change it to something like "Included in" to indicate the first version
of Firefox the cert was included in?
Would that be useful?
While on this topic... Does anyone know of an easier way for me to find
out when a version of NSS is included in FF, other then downloading and
trying each version of FF myself?
Kathleen
Kyle Hamilton
> In http://www.mozilla.org/projects/security/certs/included/ there is an
> "Inclusion Date" field which I have not been using. Perhaps I could change
> it to something like "Included in" to indicate the first version of Firefox
> the cert was included in?
>
> Would that be useful?
It would be useful to know which version of NSS it was included in,
regardless of when Firefox/Thunderbird/whatever else imported that
version. It would also be useful, though, to have a record of what
date the decisions were finalized.
> While on this topic... Does anyone know of an easier way for me to find out
> when a version of NSS is included in FF, other then downloading and trying
> each version of FF myself?
Perhaps you could ask the build master to let you know what version of
NSS is included in the releases?
-Kyle H
David E. Ross
There is a page showing which application releases have which version of
Gecko. It's at <https://developer.mozilla.org/en/Gecko>.
Perhaps we need a similar page showing which application releases have
which version of NSS.
--
David E. Ross
<http://www.rossde.com/>
On occasion, I might filter and ignore all newsgroup messages
posted through GoogleGroups via Google's G2/1.0 user agent
because of spam from that source.
Policy Authority PKIoverheid
> Would that be useful?
Very much so. This enables us to better inform our end users.
Regards,
Mark
Gen Kanai
On 8/2/11 5:33 AM, Kathleen Wilson wrote:
> In http://www.mozilla.org/projects/security/certs/included/ there is an
> "Inclusion Date" field which I have not been using. Perhaps I could
> change it to something like "Included in" to indicate the first version
> of Firefox the cert was included in?
>
> Would that be useful?
I think that would be very useful. Thank you in advance.
Gen
--
Gen Kanai
Philipp Wagner
> While on this topic... Does anyone know of an easier way for me to find
> out when a version of NSS is included in FF, other then downloading and
> trying each version of FF myself?
The source code contains the NSS tag that was pulled in
/security/nss/TAG-INFO
You can look at the release source code at
http://hg.mozilla.org/releases/mozilla-release (choose the right tag
from the bottom, e.g. FIREFOX_5_0_RELEASE, then click on files and
navigate to security/nss, click on the file link next to TAG-INFO there.
Philipp
Kathleen Wilson
That helps. Now I can see why the roots I was expecting to become
BuiltIn in FF 5.0 have not... The changes were checked into NSS 3.12.10.
FF 5.0 and 5.0.1 used NSS 3.12.9.
How do I find this information for previous and future versions of FF?
Thanks,
Kathleen
Philipp Wagner
For old versions: since Firefox 5, just pick the right tag from
releases/mozilla-release. Up to Firefox 4: choose the right repository
from http://hg.mozilla.org/releases/mozilla-* and follow the steps there.
Or: download the source from
ftp://ftp.mozilla.org/pub/firefox/releases/VERSION/source/ and look in
the security/nss/TAG-INFO file there.
For future versions: I don't know the policy how NSS is updated in
Firefox, but Wan-Teh Chang and Kai Engert usually do the updates, so you
might ask them to CC you on bugs when NSS is updated.
For aurora and beta, you can look at the source view as well, the
repositories are at http://hg.mozilla.org/releases/mozilla-aurora and
http://hg.mozilla.org/releases/mozilla-beta, the other steps are the
same as above.
Philipp
Nelson Bolyard
> There is a page showing which application releases have which version of
> Gecko. It's at <https://developer.mozilla.org/en/Gecko>.
>
> Perhaps we need a similar page showing which application releases have
> which version of NSS.
+1
Note that this is not intrinsically an NSS developer function. It's up to
the products that consume NSS releases to document which ones they use.
--
/Nelson Bolyard
Kathleen Wilson
> Am 09.08.2011 01:57, Kathleen Wilson wrote:
>> On 8/5/11 9:42 AM, Philipp Wagner wrote:
>>> Am 01.08.2011 22:33, Kathleen Wilson wrote:
>>>> While on this topic... Does anyone know of an easier way for me to find
>>>> out when a version of NSS is included in FF, other then downloading and
>>>> trying each version of FF myself?
>>>
>>> The source code contains the NSS tag that was pulled in
>>> /security/nss/TAG-INFO
>>>
>>> You can look at the release source code at
>>> http://hg.mozilla.org/releases/mozilla-release (choose the right tag
>>> from the bottom, e.g. FIREFOX_5_0_RELEASE, then click on files and
>>> navigate to security/nss, click on the file link next to TAG-INFO there.
>>>
>>> Philipp
>>
Here's what I have so far -- for versions of NSS that included new roots
in the past couple of years.
Does anyone know what version of Firefox picked up version 3.11.10 and
3.12.1 of NSS?
NSS 3.11.10, Firefox ??
NSS 3.12.1, Firefox ??
NSS 3.12.4, Firefox 3.5
NSS 3.12.5, Firefox 3.6
NSS 3.12.6, Firefox 3.6.2
NSS 3.12.7, Firefox 3.6.7
NSS 3.12.8, Firefox 3.6.12
NSS 3.12.9, Firefox 4.0
NSS 3.12.10, Firefox 6.0
NSS 3.12.11, TBD
Thanks,
Kathleen
Kathleen Wilson
In http://www.mozilla.org/projects/security/certs/included/ there was an
"Included Date" field that I wasn't using. I renamed the field to
"Included In" and updated all of the certificate entries on this page to
indicate the NSS and Firefox versions which first included the
certificate. For instance, if you search the page for "Firefox 6.0" you
will find all of the root certificates that were introduced in that release.
The next batch of root certificates to be included are in NSS 3.12.11,
but it doesn't look like that version of NSS will be in Firefox 7 or 8.
(I formed this conclusion by looking at the TAG-INFO for security/nss in
http://hg.mozilla.org/releases/).
Kathleen
David E. Ross
How can I tell what version of NSS is being used in a version of
SeaMonkey or Thunderbird?
Gervase Markham
> How can I tell what version of NSS is being used in a version of
> SeaMonkey or Thunderbird?
This is why it was originally an Included Date field, with the idea
being that it was the date included in NSS and the reader had to do the
rest of the work themselves...
But I agree that makes the common use case too much work.
David: you need a list of Thunderbird and SeaMonkey releases and the
corresponding NSS versions. If one does not exist, you could do the
world a service by making one.
Gerv
Kathleen Wilson
The release versions and release dates are listed here:
https://wiki.mozilla.org/Releases/
and
https://wiki.mozilla.org/Releases/Old
Based on release date, is it safe to assume that releases of Thunderbird
and SeaMonkey use the same version of NSS as the corresponding release
of Firefox?
For instance, Thunderbird 3.0 was released on Dec 8, 2009, and SeaMonkey
2.0.1 was released on Dec 15, 2009. Then is it safe to assume that they
both used the same version of NSS as was used in Firefox 3.5.6 which was
released on Dec 15, 2009? (Firefox 3.5.6 included NSS 3.12.4.)
If it is safe to make such assumptions, then I can add the Thunderbird
and SeaMonkey versions to the "Included In" information.
Kathleen
Gervase Markham
> Based on release date, is it safe to assume that releases of Thunderbird
> and SeaMonkey use the same version of NSS as the corresponding release
> of Firefox?
>
> For instance, Thunderbird 3.0 was released on Dec 8, 2009, and SeaMonkey
> 2.0.1 was released on Dec 15, 2009. Then is it safe to assume that they
> both used the same version of NSS as was used in Firefox 3.5.6 which was
> released on Dec 15, 2009? (Firefox 3.5.6 included NSS 3.12.4.)
It's not 100% safe - they use the same NSS release if they were released
off the same branch of mozilla-central; at one point, SeaMonkey was
releasing off an older branch.
I think it would be best to have a single wiki page mapping NSS versions
to versions of Thunderbird, Firefox, SeaMonkey, Camino and any other
software people want to stick in there, and just have the NSS version
and a link to that page in the certificate list.
Gerv
David E. Ross
First, I tried to obtain a list of components used by SeaMonkey but
developed elsewhere within Mozilla. That list would be in
about:support. For that, I submitted bug #680952, which was quickly
marked Resolved/WontFix.
Now, I have submitted bug #681709, requesting a Web page for NSS similar
to "Versions of Gecko" (at <https://developer.mozilla.org/en/Gecko>).
See:
<https://bugzilla.mozilla.org/show_bug.cgi?id=680952>
<https://bugzilla.mozilla.org/show_bug.cgi?id=681709>
Kathleen Wilson
Actually, I think it'll be easier to maintain this in a wiki page.
I started the page here:
https://wiki.mozilla.org/NSS:Release_Versions
If anyone has better date, please feel free to add the corrections or
send them to me.
Kathleen
David E. Ross
It looks good.
However, I would suggest one additional column that lists the NSS bug
numbers for each NSS version. With the NSS bug numbers, we should then
be able to trace back to the CA Certificates bug numbers if necessary.
The NSS bug numbers should be links to the bug reports. I would format
the table with the column widths the way they are (maybe slightly wider
for for bug column). A large number of bug reports would then make the
rows taller but would not require horizontal scrolling.
David E. Ross
I just now edited the Wiki. I inserted a column for bug numbers and
populated the cell in that column for NSS 3.12.11. I hope soon to
change the plain text bug numbers into links to the bug reports. I will
then try to populate the bug numbers for earlier versions of NSS.
Not being totally familiar with NSS bugs, however, someone else will
have to review what I have done. That is, someone will have to verify
that I identified all relevant bug reports for each NSS version. By
"relevant", I mean only the bug reports dealing with adding, modifying,
and deleting root certificates.
Gervase Markham
> I just now edited the Wiki. I inserted a column for bug numbers and
> populated the cell in that column for NSS 3.12.11. I hope soon to
> change the plain text bug numbers into links to the bug reports. I will
> then try to populate the bug numbers for earlier versions of NSS.
Wiki tip: use:
{{bug|123456}}
to automatically insert the correct link.
> Not being totally familiar with NSS bugs, however, someone else will
> have to review what I have done. That is, someone will have to verify
> that I identified all relevant bug reports for each NSS version. By
> "relevant", I mean only the bug reports dealing with adding, modifying,
> and deleting root certificates.
I think the NSS team are quite good at making sure the Target Milestone
on their bugs is set correctly, so I suggest you might be better linking
to queries like this one:
rather than listing individual bugs. This respects the DRY principle,
and stops Bugzilla and the page getting out of sync.
Gerv
David E. Ross
Thank you for the pointer on how to mark links to bug reports.
I have no idea what the acronym "DRY" means. However, I don't think the
numbers for existing bug reports will change.
In any case, the initial motivation for this Wiki is to provide
end-users with information on which root certificate changes were
implemented in which Mozilla-based applications. It is indeed possible
that some end-users might be quite familiar with certificates but not
real familiar with Bugzilla. For those users, a link to a
bugzilla.mozilla.org query would not be useful without a detailed
explanation of how to drill down via bug dependencies to the information
they seek.
I have now populated the Wiki for NSS 3.12.10.
Gervase Markham
> I have no idea what the acronym "DRY" means. However, I don't think the
> numbers for existing bug reports will change.
Don't Repeat Yourself. The numbers for existing reports will not change,
but it could be that later on, someone says "Oh, this bug hasn't got a
proper Target Milestone marked", and marks it - thereby increasing the
visible set of bugs fixed in a particular TM.
Perhaps you could provide both a list and a search link?
Gerv
David E. Ross
For the Wiki, we are only interested in bugs for the addition,
modification, and deletion of root certificates. I'm trying to avoid
confusing end-users with bug reports that address other issues, which
will appear in queries on Target Milestone.
In any case, the Wiki is still in draft form. Let me see how end-users
react as I complete populating the bug column.