Possible NuGet restore failures

Asked by Loic Sharma on 2021-04-01

Hello,

I am from the NuGet team at Microsoft. NuGet is the package manager for the .NET ecosystem, including the C# language. Network Security Services (NSS) 3.63 and newer distrusts Symantec which will cause failures when installing NuGet packages. For more information, please see: https://github.com/NuGet/Announcements/issues/56

Does Ubuntu use NSS to maintain its list of trusted root certificates? If so, does Ubuntu have a timeline for when it will update to NSS 3.63 or newer?

If you need any additional information, feel free to reach out to me at <email address hidden>.

Best,
Loic

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu ca-certificates Edit question
Assignee:
No assignee Edit question
Solved by:
Manfred Hampl
Solved:
2021-04-01
Last query:
2021-04-01
Last reply:
2021-04-01
Best Manfred Hampl (m-hampl) said : #1

Not sure whether this help or is sufficient:

The version of nss in Ubuntu differs between the Ubuntu releases.
see https://launchpad.net/ubuntu/+source/nss
Ubuntu releases 20.10 and older have nss versions of 3.55 and lower.

Ubuntu 21.04 hirsute (development release to be published in three weeks' time) contains 3.61, with 3.63 currently being in preparation (hirsute-proposed)

Loic Sharma (loshar-msft) said : #2

Thank you, that helps! I see that there is an open bug to re-add Symantec CA for non-TLS use here: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1913951

I will follow-up on that bug with the information you provided.

Loic Sharma (loshar-msft) said : #3

Thanks Manfred Hampl, that solved my question.

Loic Sharma (loshar-msft) said : #4

Hello,

We have published new .NET builds to workaround this issue: https://github.com/dotnet/announcements/issues/180

Does Ubuntu have plans to update to NSS 3.63+ on the following releases: 16.04, 18.04, 20.04? If so, would it be possible to delay the removal of the "VeriSign Universal Root Certification Authority" (for code signing only) by a month on those releases? This would help enable .NET users on Ubuntu adopt the newer .NET builds.

Best,
Loic & the .NET team at Microsoft

Manfred Hampl (m-hampl) said : #5

"Does Ubuntu have plans to update to NSS 3.63+ on the following releases: 16.04, 18.04, 20.04?"

General answer: No

Ubuntu's release strategy is to keep programs in the version that was current when the Ubuntu release was published.
Updates to higher versions are done only in exceptional cases (a limited list of packages like firefox, thunderbird, tzinfo, kernel packages etc., or to correct high-impact bugs). But even for bugs it is preferred to cherry-pick the relevant change and backport it to the older version instead of upgrading the whole package to a newer version. For further details see https://wiki.ubuntu.com/StableReleaseUpdates