Bug#704180: p11-kit: provide package that diverts libnssckbi.so and replaces it with p11-kit-trust.so

Laurent Bigonville bigon at debian.org
Fri Mar 3 10:16:01 UTC 2017

On Thu, 28 Mar 2013 20:57:01 -0400 Daniel Kahn Gillmor 
<dkg at fifthhorseman.net> wrote:

 > as of 0.17.4, it looks like i can replace
 > /usr/lib/$ARCH_TRIPLE/nss/libnssckbi.so with
 > /usr/lib/$ARCH_TRIPLE/pkcs11/p11-kit-trust.so and systems that use
 > libnssckbi.so (e.g. iceweasel and icedove) will now treat the system
 > trusted root store as the canonical list of trusted authorities,
 > rather than using their own built-in.
 > I did this with something like:
 > dpkg-divert --divert /usr/lib/$(dpkg-architecture 
/usr/lib/$(dpkg-architecture -qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so
 > mv /usr/lib/$(dpkg-architecture 
-qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so /usr/lib/$(dpkg-architecture 
 > ln -s ../pkcs11/p11-kit-trust.so /usr/lib/$(dpkg-architecture 
 > It would be great to have this available to a system administrator
 > without having to do this work manually.
 > Two ways to go about it:
 > a) the p11-kit binary package could have a postinst script, and based 
on a
 > debconf prompt, could decide to make this diversion.
 > b) we could introduce a new binary package that Depends: on p11-kit
 > and unconditionally does this diversion in its postinst script.
 > I prefer (b), because i think it's simpler to say "if you want this
 > behavior, install p11-kit-nssckbi" than to ask admins to
 > dpkg-reconfigure or preseed their debconf selections.
 > If this seems reasonable, i could write a patch to implement it.
 > please let me know (and let me know if you have preferences for
 > strategy a or b also).
 > thanks for keeping p11-kit up-to-date in debian -- this is a big step
 > forward toward using a well-administered trust store!
 > Regards,
 > --dkg

Note that there is also #741005 opened against NSS package

More information about the Pkg-gnutls-maint mailing list