This update has been unpushed.

This update fixes the CI issue in GnuTLS: https://gitlab.com/gnutls/gnutls/-/merge_requests/1594

@ckujau, if you are in doubt, try (temporarily) blacklisting the cross-signed "COMODO RSA Certification Authority" on the system and see if the connection fails as expected:

$ trust list # check the URL of the cross-signed certificate
$ trust dump --filter 'pkcs11:id=%BB%AF%7E%02%3D%FA%A6%F1%3C%84%8E%AD%EE%38%98%EC%D9%32%32%D4;type=cert' > comodo-rsa.p11-kit
$ sudo cp comodo-rsa.p11-kit /etc/pki/ca-trust/source/blacklist/
$ gnutls-cli host:443
[...]
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.

@ckujau, no, the message is just misleading. The certificate is internally dropped from the input chain, and the cross signed (non-expired) certificate is used from the system trust store. See the background of the fix: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_352448705

I'll try to update the command output later.

Re-added ca-certificates with a versioned dependency on p11-kit.

@cmadams right, re-added ca-certificates with a versioned dependency on p11-kit. thanks!

Dropping ca-certificates. See https://bodhi.fedoraproject.org/updates/FEDORA-2020-f7bb54009e#comment-1209227 for the rationale.

@cmadams, yes, that's why this update contains both ca-certificates and p11-kit. @pizzadude, that's interesting; maybe the flatpak runtime needs an updated p11-kit.

Anyway I will drop ca-cerfificate from this update for now.

This seems to fix the false-positives we hit on the p11-kit CI: https://travis-ci.org/p11-glue/p11-kit/jobs/633789977#L1534

This update has been unpushed.

Given that the AVC denials are through rtkit, updating only nspr/nss packages shouldn't cause any new denials. So I am dropping firefox for now.

Thank you Nils for the update (sorry for my laziness)!

@cheimes, nss-3.41.0-3.fc28 has been ready for some time but I can't edit this update as it's locked, perhaps adding karma in the pending state confused the system...

@remi, possibly a repo problem on your side? I don't see anything wrong here:

$ rpm -qP nspr-4.20.0-1.fc27.x86_64.rpm | grep '^nspr'
nspr = 4.20.0-1.fc27
nspr(x86-64) = 4.20.0-1.fc27

$ rpm -qR thunderbird-60.0-1.fc27.x86_64.rpm | grep '^nspr'
nspr >= 4.20.0

@jerboaa, there's no policy actually other than that we usually keep the update for a week and make sure there is no serious regression. as it's been in testing for 5 days and have enough karmas, I am going to push this to stable now.

@jchaloup, well nss is NOT pushed into the stable yet. I suspect it's a transitional issue: 20 minutes ago I created override for nss-util, nss-softokn, and nss (all 3.37.3) for building firefox. I can see all those packages are now in the buildroot:

$ koji wait-repo f28-build --build=nss-util-3.37.3-1.0.fc28
Successfully waited 0:01 for nss-util-3.37.3-1.0.fc28 to appear in the f28-build repo
koji wait-repo f28-build --build=nss-softokn-3.37.3-1.0.fc28
Successfully waited 0:01 for nss-softokn-3.37.3-1.0.fc28 to appear in the f28-build repo
koji wait-repo f28-build --build=nss-3.37.3-1.1.fc28
Successfully waited 0:02 for nss-3.37.3-1.1.fc28 to appear in the f28-build repo

Added nss-pem build to this update to resolve the issue, per Kamil's suggestion on bug 1500655

@corsepiu, as I said in the bug, it will be fixed as part of NSS 3.34 release planned for 2017-11-08