Opened 2 years ago
Closed 2 years ago
#17387 closed enhancement (fixed)
nss-3.86
| Reported by: | Bruce Dubbs | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | 11.3 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description ¶
New minor version.
Change History (5)
follow-up: 3 comment:1 by , 2 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 2 years ago
We seems to have been having variations in the time taken to run tests. From the comments in the XML it looks as if ryzens run the tests much quicker than intel. I did my initial measurements on my 3400G, where the SBU (as if the system is rebuilding itself) with linux-6.0.12 is (of course) slower than with 6.0.7 and perhaps the memory runs slowly for some reason.
On that system, the SBU (average of 3 'reasonable' runs) is 156.806s. Time for build and install with -j4 14 SBU, time for tests 36m10.950s which rounds up to 18 SBU.
I remembered that I have a current system without my own CFLAGS on my haswell, so I thought I'd try the build there.
The SBU re-measured with 6.0.12 is 133.236s (average of five runs, the range seemed to be wider than I'd expected). I didn't time the build (used -j8), nor do a dummy install, but the tests did indeed take forever. Just finished, 77m18.788s which rounds to 35 SBU.
I don't have a usable recent intel, I can believe that times over 60 SBU are possible although no idea why, the test results are the same for each:
Tests summary: -------------- Passed: 80186 Failed: 0 Failed with core: 0 ASan failures: 0 Unknown status: 2
and the space taken (309MB build, 463MB after tests) is the same for each.
I'm inclined to label the time for the tests as "less than 20 SBU on AMD ryzen, up to two or even three times longer on Intel" ?
comment:3 by , 2 years ago
Replying to ken@…:
Bug 1803453 - Set CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates.
Bug 1799038 - Remove Staat der Nederlanden EV Root CA from NSS.
Bug 1797559 - Remove EC-ACC root cert from NSS.
Bug 1794507 - Remove SwissSign Platinum CA - G2 from NSS.
Bug 1794495 - Remove Network Solutions Certificate Authority.
Obviously, for people following the book and using the symlink to p11-kit-trust.so those changes will be picked up when updating ca-certificates. The "problematic" TrustCor certificates have been distrusted since 30th November, the other removals were done on or before 1st December so anyone updating their mozilla certificates after that should have already picked up those changes.
comment:4 by , 2 years ago
Following Bruce's reply to blfs-book, I posted to announce that I'm planning to put the following in the nss page:
For test time, "less than 20 SBU on AMD ryzens, at least 30 SBU on Intel machines"
and for the results, "A few tests might fail on some intel machines for unknown reasons."
but posting to that list now fails: "Posts to this list are restricted to LFS revision control programs."
comment:5 by , 2 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed in 0d7f7190cf1ee21ca3bc89b3372e18681f06f40c 11.2-594
Taking this, because I'll need it to look at firefox-109 beta.
Release notes at https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_86.html
Changes in NSS 3.86¶ Bug 1803190 - conscious language removal in NSS. Bug 1794506 - Set nssckbi version number to 2.60. Bug 1803453 - Set CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates. Bug 1799038 - Remove Staat der Nederlanden EV Root CA from NSS. Bug 1797559 - Remove EC-ACC root cert from NSS. Bug 1794507 - Remove SwissSign Platinum CA - G2 from NSS. Bug 1794495 - Remove Network Solutions Certificate Authority. Bug 1802331 - compress docker image artifact with zstd. Bug 1799315 - Migrate nss from AWS to GCP. Bug 1800989 - Enable static builds in the CI. Bug 1765759 - Removing SAW docker from the NSS build system. Bug 1783231 - Initialising variables in the rsa blinding code. Bug 320582 - Implementation of the double-signing of the message for ECDSA. Bug 1783231 - Adding exponent blinding for RSA. Compatibility¶ NSS 3.86 shared libraries are backwards-compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with this new version of the shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.