Bug#704180: p11-kit: provide package that diverts libnssckbi.so and replaces it with p11-kit-trust.so
bigon at debian.org
Fri Mar 3 10:16:01 UTC 2017
On Thu, 28 Mar 2013 20:57:01 -0400 Daniel Kahn Gillmor
<dkg at fifthhorseman.net> wrote:
> as of 0.17.4, it looks like i can replace
> /usr/lib/$ARCH_TRIPLE/nss/libnssckbi.so with
> /usr/lib/$ARCH_TRIPLE/pkcs11/p11-kit-trust.so and systems that use
> libnssckbi.so (e.g. iceweasel and icedove) will now treat the system
> trusted root store as the canonical list of trusted authorities,
> rather than using their own built-in.
> I did this with something like:
> dpkg-divert --divert /usr/lib/$(dpkg-architecture
> mv /usr/lib/$(dpkg-architecture
> ln -s ../pkcs11/p11-kit-trust.so /usr/lib/$(dpkg-architecture
> It would be great to have this available to a system administrator
> without having to do this work manually.
> Two ways to go about it:
> a) the p11-kit binary package could have a postinst script, and based
> debconf prompt, could decide to make this diversion.
> b) we could introduce a new binary package that Depends: on p11-kit
> and unconditionally does this diversion in its postinst script.
> I prefer (b), because i think it's simpler to say "if you want this
> behavior, install p11-kit-nssckbi" than to ask admins to
> dpkg-reconfigure or preseed their debconf selections.
> If this seems reasonable, i could write a patch to implement it.
> please let me know (and let me know if you have preferences for
> strategy a or b also).
> thanks for keeping p11-kit up-to-date in debian -- this is a big step
> forward toward using a well-administered trust store!
Note that there is also #741005 opened against NSS package
More information about the Pkg-gnutls-maint