Bug#704180: Use p11-kit to replace nssckbi
Laurent Bigonville
bigon at debian.org
Thu Jan 10 18:14:06 GMT 2019
Le 10/01/19 à 19:03, David Woodhouse a écrit :
> On Wed, 2019-01-09 at 14:04 -0500, Daniel Kahn Gillmor wrote:
>> On Wed 2019-01-09 16:39:36 +0100, Laurent Bigonville wrote:
>>> So what is the status of this?
>>>
>>> In RHEL 7 they made the switch to p11-kit and libnssckbi.so is an
>>> alternative between the file shipped by nss and p11-kit-trust.so shipped
>>> by p11-kit (with p11-kit version being the default).
>>>
>>> Should we switch debian by default to p11-kit as well?
>> seems like the maintainers of p11-kit could unilaterally decide to
>> implement the diversion approach mentioned in
>> https://bugs.debian.org/704180 with a new binary package, if the nss
>> folks are reluctant to do it.
>>
>> I'm cc'ing Andreas here to try to get some feedback -- is this something
>> that there's interest in for the p11-kit maintainers?
> That would seem like an excellent way to do it.
>
> However, am I right in thinking that we have multiple packages all
> shipping their *own* special version of the NSS libraries, instead of
> using the system one? Each instance of libnssckbi.so (in firefox,
> thunderbird, etc.) would need to be replaced, wouldn't it?
If I'm searching for a file called libnssckbi.so in the archive, the
only other occurrence is in package libapache2-mod-nss.
Shouldn't it be better to use an alternative so a local admin can switch
back to the libnss3 version? When I discussed with Mike about bug
#820437 he didn't looked opposed to use p11-kit, see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820437#19
More information about the Pkg-gnutls-maint
mailing list