Conversation
jesup
requested review from
KershawChang,
larseggert,
martinthomson and
mxinden
as code owners
|
This PR is part of a stack of 2 bookmarks:
Created with jj-stack |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
This PR downgrades the minimum NSS version from 3.121 to 3.120.1 in neqo-crypto/min_version.txt. The version is consumed at build time (build.rs via pkg-config --modversion check), at runtime (NSS_VersionCheck), and across ~12 CI workflow files (via version-file:).
The change itself is mechanically correct — all consumers read from this single file, so a one-line change propagates everywhere.
Concerns:
-
Missing context. The PR has no description explaining why the downgrade is needed or what the timeline is for restoring it. The
temp_branch name signals intent to revert, but without a tracking issue or TODO, this risks becoming permanent. Please add a brief rationale and link to a follow-up issue. -
Security surface. Lowering the minimum NSS version widens the set of NSS builds the code will accept at runtime. If
3.121introduced security fixes that neqo relies on (even implicitly through hardened defaults), this PR silently weakens that floor. Worth a sentence in the description confirming that no security-relevant NSS changes between3.120.1and3.121affect neqo. -
Stale CI comment. Noted inline — the NetBSD exclusion comment references
>= 3.121and should be updated. -
Merge conflict. The PR is currently in a
dirtymergeable state and needs a rebase.
| @@ -1 +1 @@ | |||
| 3.121 | |||
| 3.120.1 | |||
There was a problem hiding this comment.
Warning
The TODO in .github/workflows/check.yml:211 says:
# TODO: Re-enable NetBSD once NetBSD > 10.1 ships with NSS >= 3.121.
With the minimum lowered to 3.120.1, that comment becomes stale — NetBSD 10.1's packaged NSS might now satisfy the requirement, so both the comment and the NetBSD exclusion should be revisited as part of this change.
No description provided.