Bug#704180: p11-kit: provide package that diverts libnssckbi.so and replaces it with p11-kit-trust.so

[Laurent Bigonville]

On Thu, 28 Mar 2013 20:57:01 -0400 Daniel Kahn Gillmor 
<dkg at fifthhorseman.net> wrote:

 > as of 0.17.4, it looks like i can replace
 > /usr/lib/$ARCH_TRIPLE/nss/libnssckbi.so with
 > /usr/lib/$ARCH_TRIPLE/pkcs11/p11-kit-trust.so and systems that use
 > libnssckbi.so (e.g. iceweasel and icedove) will now treat the system
 > trusted root store as the canonical list of trusted authorities,
 > rather than using their own built-in.
 >
 > I did this with something like:
 >
 > dpkg-divert --divert /usr/lib/$(dpkg-architecture 
-qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so.orig 
/usr/lib/$(dpkg-architecture -qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so
 > mv /usr/lib/$(dpkg-architecture 
-qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so /usr/lib/$(dpkg-architecture 
-qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so.orig
 > ln -s ../pkcs11/p11-kit-trust.so /usr/lib/$(dpkg-architecture 
-qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so
 >
 > It would be great to have this available to a system administrator
 > without having to do this work manually.
 >
 > Two ways to go about it:
 >
 > a) the p11-kit binary package could have a postinst script, and based 
on a
 > debconf prompt, could decide to make this diversion.
 >
 > b) we could introduce a new binary package that Depends: on p11-kit
 > and unconditionally does this diversion in its postinst script.
 >
 > I prefer (b), because i think it's simpler to say "if you want this
 > behavior, install p11-kit-nssckbi" than to ask admins to
 > dpkg-reconfigure or preseed their debconf selections.
 >
 > If this seems reasonable, i could write a patch to implement it.
 > please let me know (and let me know if you have preferences for
 > strategy a or b also).
 >
 > thanks for keeping p11-kit up-to-date in debian -- this is a big step
 > forward toward using a well-administered trust store!
 >
 > Regards,
 >
 > --dkg

Note that there is also #741005 opened against NSS package