Bug#704180: Use p11-kit to replace nssckbi
David Woodhouse
dwmw2 at infradead.org
Fri Jan 11 08:09:02 GMT 2019
On Thu, 2019-01-10 at 19:14 +0100, Laurent Bigonville wrote:
> > However, am I right in thinking that we have multiple packages all
> > shipping their *own* special version of the NSS libraries, instead of
> > using the system one? Each instance of libnssckbi.so (in firefox,
> > thunderbird, etc.) would need to be replaced, wouldn't it?
>
> If I'm searching for a file called libnssckbi.so in the archive, the
> only other occurrence is in package libapache2-mod-nss.
Looking back, I see this bug was opened with the comment "With the
recent switch of wheezy-security's iceweasel to using the
embedded copy of nss..."
That was 2014 though. Is it no longer the case?
FWIW my Ubuntu 18.04 box does have separate instances of libnssckbi.so
in /usr/lib/{thunderbird,firefox}/ (along with all the other NSS
libraries, I believe).
Perhaps the answer is that any separate instances of NSS should *not*
ship their own libnssckbi.so and should use the system one. The
interface there is entirely stable as it's PKCS#11, so there won't be
compatibility problems (else p11-kit-trust couldn't work either).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5174 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnutls-maint/attachments/20190111/df12795e/attachment.bin>
More information about the Pkg-gnutls-maint
mailing list