office-gobmx/external/nss
Michael Stahl c5e7af92eb nss: upgrade to release 3.98
Fixes CVE-2023-5388

Also update README, and remove obsolete documentation of Debian's
mangled SONAME; relevant Debian changelog:

  nss (2:3.13.4-2) unstable; urgency=low

  * debian/control, debian/libnss3*, debian/rules,
    mozilla/security/coreconf/*, mozilla/security/nss/lib/*/manifest.mn:
    Move to unversioned library. ABI compatibility is ensured upstream, and
    the SO version, if it needed a change at any time, would be a change in
    the library name. There is no reason to keep making compatibility more
    difficult with other distros and upstream binary releases. While previous
    versions were one-way compatible (binaries built against other distros or
    upstream nspr could work on Debian), this approach works both ways.

  -- Mike Hommey <glandium@debian.org>  Thu, 17 May 2012 09:45:36 +0200

Change-Id: Ifc1eae68827fa88ae001a3903c8555af67b488ac
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/163482
Tested-by: Michael Stahl <michael.stahl@allotropia.de>
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
2024-02-16 15:34:25 +01:00
..
asan.patch.1
clang-cl.patch.0
ExternalPackage_nss.mk
ExternalProject_nss.mk
macos-dlopen.patch.0
Makefile
Module_nss.mk
nsinstall.py
nss-android.patch.1
nss-bz1646594.patch.1
nss-ios.patch
nss-restore-manual-pre-dependencies.patch.1
nss-win32-make.patch.1
nss.bzmozilla1238154.patch
nss.cygwin64.in32bit.patch
nss.nowerror.patch
nss.patch
nss.utf8bom.patch.1
nss.vs2015.patch
nss.vs2015.pdb.patch
nss.windows.patch
nss_macosx.patch
README
ubsan.patch.0
UnpackedTarball_nss.mk
Wincompatible-function-pointer-types.patch.0

Contains the Network Security Services (NSS) libraries from Mozilla

== ESR versions ==

Upstream releases both regular and "ESR" versions, the latter go into Firefox
ESR and Thunderbird.

There is a new ESR version about once a year, and a ESR version gets micro
updates only when there are security issues to fix, and it's not always obvious
from the release notes of a regular release if there are security issues that
are relevant to LibreOffice, hence it's probably best to bundle only the ESR
versions and upgrade for every micro release (as recommended by upstream).

== Fips 140 and signed libraries ==

Fips 140 mode is not supported. That is, the *.chk files containing the
checksums for the cryptographic module are not delivered into instdir and will
not be part of the OOo installation sets.

Signing has been turned off because
- we change the rpath (install names)  after signing which breaks the signatures
(Mac)
- sqlite conflicts with the system sqlite when signing which breaks the build

See also
[https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Tech_Notes/nss_tech_note6]

== libsqlite3 ==

With all supported macOS SDK we use
NSS_USE_SYSTEM_SQLITE=1
to build using the system sqlite.