From: Ian Eure <ian@retrospec.tv>
To: guix-devel@gnu.org
Subject: Proposal: nss updates
Date: Thu, 27 Jun 2024 07:13:11 -0700 [thread overview]
Message-ID: <87ikxu4e2q.fsf@meson> (raw)
The nss package updates frequently, around once a month. It's
also very low in the package graph, so a ton of stuff depends on
it. The most recent update was a graft for security fixes, so we
didn't have to rebuild everything, but the new Librewolf version
once again requires an nss update. I'm considering options to
balance update frequency vs. huge rebuilds.
Mozilla has strong compatibility guarantees for nss, so the risk
of packages breaking is very small. This is purely about the cost
in CPU time to build and bandwidth to transfer packages.
Mozilla provides an ESR channel for nss, but Guix doesn't use it —
we went from 3.88.1 to 3.99, skipping 3.91, which is the current
ESR.
I think the default nss in Guix should be the ESR, but we should
also have a package for the latest nss, for stuff which needs it.
This would let us update to the most recent nss without rebuilding
so much, and only eat that cost when there’s a new ESR -- this
happens approximately once a year.
Concretely:
The current nss package should stay how it is. When the next ESR
happens, it should update to that (ungrafting nss at the same
time), and track ESR releases only from that point forward. I
don’t think it would make sense to downgrade the current 3.99
package to the 3.91 ESR, so this will be a little funky until that
release happens.
The latest version of nss should be added as a second package,
named "nss-latest", bound to `nss-latest'. It should track
updates as frequently as needed.
While I’d prefer having the packages named "nss-esr" and "nss", I
think the ESR should get the more prominent "nss" name, which
should make it easy for developers to do the right thing -- if a
bunch of packages depend on nss-latest, we’re back to the initial
problem. Code comments documenting this would also be added.
We might also want to adopt this approach for nspr.
I’m not sure about nss-certs; I think that should probably track
the nss ESR, and I don’t think there’s a compelling need for a
package tracking the rapid release channel. I do want to improve
this package by having it reuse the origin of nss instead of
duplicating it.
Does all this seem reasonable to everyone? If so, I can start
sending patches.
Thanks,
— Ian
next reply other threads:[~2024-06-27 15:10 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-27 14:13 Ian Eure [this message]
2024-06-27 16:21 ` Proposal: nss updates Felix Lechner via Development of GNU Guix and the GNU System distribution.
2024-06-27 20:56 ` Ian Eure
2024-07-01 2:50 ` Maxim Cournoyer
2024-07-01 15:00 ` Ian Eure
2024-07-01 20:31 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
2024-07-02 0:06 ` Ian Eure
2024-07-02 1:57 ` Maxim Cournoyer
2024-08-15 23:38 ` Ian Eure
2024-08-18 14:10 ` Maxim Cournoyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ikxu4e2q.fsf@meson \
--to=ian@retrospec.tv \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.