Bug#704180: p11-kit: provide package that diverts libnssckbi.so and replaces it with p11-kit-trust.so

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Mar 29 00:57:01 UTC 2013 

Package: p11-kit
Version: 0.17.4-1
Severity: wishlist

as of 0.17.4, it looks like i can replace
/usr/lib/$ARCH_TRIPLE/nss/libnssckbi.so with
/usr/lib/$ARCH_TRIPLE/pkcs11/p11-kit-trust.so and systems that use
libnssckbi.so (e.g. iceweasel and icedove) will now treat the system
trusted root store as the canonical list of trusted authorities,
rather than using their own built-in.

I did this with something like:

dpkg-divert --divert /usr/lib/$(dpkg-architecture -qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so.orig /usr/lib/$(dpkg-architecture -qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so
mv /usr/lib/$(dpkg-architecture -qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so /usr/lib/$(dpkg-architecture -qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so.orig 
ln -s ../pkcs11/p11-kit-trust.so /usr/lib/$(dpkg-architecture -qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so

It would be great to have this available to a system administrator
without having to do this work manually.

Two ways to go about it:

 a) the p11-kit binary package could have a postinst script, and based on a
    debconf prompt, could decide to make this diversion.

 b) we could introduce a new binary package that Depends: on p11-kit
    and unconditionally does this diversion in its postinst script.

I prefer (b), because i think it's simpler to say "if you want this
behavior, install p11-kit-nssckbi" than to ask admins to
dpkg-reconfigure or preseed their debconf selections.

If this seems reasonable, i could write a patch to implement it.
please let me know (and let me know if you have preferences for
strategy a or b also).

thanks for keeping p11-kit up-to-date in debian -- this is a big step
forward toward using a well-administered trust store!

Regards,

        --dkg

-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.8-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages p11-kit depends on:
ii  libc6        2.13-38
ii  libp11-kit0  0.17.4-1
ii  libtasn1-6   3.2-1

p11-kit recommends no packages.

p11-kit suggests no packages.

-- debconf-show failed

More information about the Pkg-gnutls-maint mailing list