On 12/15/20 5:09 PM, Adam Williamson wrote:
On Tue, 2020-12-15 at 22:38 +0100, Alexander Ploumistos wrote:
> On Tue, Dec 15, 2020 at 9:04 PM Alexander Ploumistos
> <alex.ploumistos(a)gmail.com> wrote:
>>
>> On Tue, Dec 15, 2020 at 8:17 PM Kevin Fenzi <kevin(a)scrye.com> wrote:
>>>
>>> If you upgrade in f33 or rawhide to nss 3.59, all your firefox add-ons
>>> will stop working. Worse they will appear corrupted, so you will have to
>>> remove them and re-install them (after downgrading nss).
>>
>> I'm running firefox 83.0-13.fc33.x86_64 with nss 3.59.0-2.fc33
>> installed since it hit my local updates-testing mirror and all my
>> add-ons are looking good.
>
> So, I spoke too soon. I just got notified that one of my add-ons is
> misbehaving and it has been disabled. I'm still on the same session I
> was when I sent the previous message, nothing was installed or updated
> in the meantime. Is this bug time-based or something?
You didn't answer the question whether you had restarted Firefox since
installing the new nss.
Either way, probably Firefox is doing a periodic check of installed
add-ons and that fails whenever it happens now. The issue is they're
signed with SHA-1 certs, but nss is now not accepting SHA-1 per the
current system-wide policy.
Since there is no great way for end-users to motivate the various add-on creators to
update their certs, this sounds like a serious problem.
For now I've put an exclude in my dnf.conf to prevent any nss upgrades, but that is
also not a great solution, for obvious reasons. Perhaps there will have to be a way for
end-users to override the check for critical add-ons. Hopefully the add-on creators will
eventually switch certs, but that could take a very long time.
Steve