On Tue, Dec 20, 2016 at 01:56:03PM -0500, Mark H Weaver wrote:
> >     gnu: nss, nss-certs: Update to 3.27.2.
> >     
> >     * gnu/packages/gnuzilla.scm (nss): Update to 3.27.2.
> >     * gnu/packages/certs.scm (nss-certs): Update to 3.27.2.
> 
> Thanks for this, but unfortunately this version of 'nss' seems to
> consistently fail its test suite on armhf, or at least it has failed 3
> times in a row.
> 
>   https://hydra.gnu.org/build/1712083

Thanks for pointing this out.

> Given the importance of the proper functioning of this package, I'm not
> comfortable disabling the tests.

I agree.

> Do we have reason to believe that this update fixes security flaws?  Is
> there a compelling reason not to revert this update until a version is
> released that passes the test suite on our supported systems?

Not as far as I know, although I assume there are some sort of trust
"problems" fixed in each release of nss-certs.

I'll revert it and investigate. I'd rather not wait for an upstream fix
if we can help it.

I notice know that this release appears to require a newer version of
nspr than we package [0]:

"The HG tag is NSS_3_27_2_RTM. NSS 3.27.2 requires NSPR 4.13 or newer."

What do you recommend I do? How about I make an nss-updates branch with
updates to nspr, nss, nss-certs, and possibly other updates in (gnu
packages gnuzilla), and build it on Hydra when resources are available?

[0]
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.27.2_Release_Notes