Bug#704180: Use p11-kit to replace nssckbi
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Jan 11 16:21:49 GMT 2019
On Fri 2019-01-11 08:09:02 +0000, David Woodhouse wrote:
> Looking back, I see this bug was opened with the comment "With the
> recent switch of wheezy-security's iceweasel to using the
> embedded copy of nss..."
>
> That was 2014 though. Is it no longer the case?
i can confirm that it is no longer the case. I've got firefox and
thunderbird on a debian buster/side system and they do not ship
libnssckbi.so -- they appear to rely on the one in the libnss3 package.
> FWIW my Ubuntu 18.04 box does have separate instances of libnssckbi.so
> in /usr/lib/{thunderbird,firefox}/ (along with all the other NSS
> libraries, I believe).
that's interesting; i've got firefox (64.0-1) and firefox-esr
(60.4.0esr-1) and thunderbird (1:60.3.1-1) installed and this is dpkg's
full scan of the system for libnssckbi.so:
0 dkg at alice:~$ dpkg -S libnssckbi.so
libnss3:amd64: /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
0 dkg at alice:~$
> Perhaps the answer is that any separate instances of NSS should *not*
> ship their own libnssckbi.so and should use the system one. The
> interface there is entirely stable as it's PKCS#11, so there won't be
> compatibility problems (else p11-kit-trust couldn't work either).
sounds like a bug report to ubuntu is in order.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnutls-maint/attachments/20190111/f1a696e9/attachment.sig>
More information about the Pkg-gnutls-maint
mailing list