[Pkg-openldap-devel] Bug#725153: Bug#725153: Bug#725153: Bug#725153: openldap, nss, and gnutls

Timo Aaltonen tjaalton at debian.org
Tue Apr 19 07:08:12 UTC 2016


10.04.2016, 19:06, Ryan Tandy kirjoitti:
> On Sun, Apr 10, 2016 at 12:11:40PM +0300, Timo Aaltonen wrote:
>> Building from the same root would mean unapplying nss-build.diff on
>> clean and that might be fragile. Using quilt and keeping the patch last
>> on series makes adding patches to need a bit more work. But if you
>> prefer this more then I can make that happen.
> 
> My preference for that was assuming we could build identical source with
> different options, but it looks like we have several reasons for using
> modified sources.
> 
>> I've pushed new commits to the branch trying to address all the things
>> you've mentioned. But looks like #726116 might make all of this too
>> early.
> 
> Ah. That's unfortunate.
> 
> The obvious workaround is to give the NSS build its own config file,
> with the ca-certificates.crt reference removed.  Not exactly ideal, and
> it causes us upgrade grief later on if we want to switch back to having
> the same file for both.
> 
> Actually gnutls28 is configured with a default trust store these days. I
> should look into whether that works with libldap and that default
> setting could be dropped. Not sure about upgraded systems though; we
> aren't supposed to modify conffiles in maintainer scripts, so we'd be
> relying on users to accept the change. Sounds fragile.

Ok, I've got some news and I think they're good: 389ds is working on
getting rid of the dependency on nss:

http://www.port389.org/docs/389ds/design/allow-usage-of-openldap-lib-w-openssl.html

and I've tested the patch and verified that replication with starttls
works now and uploaded it to unstable, so I'd say screw with libldap-nss
at this point :)



-- 
t



More information about the Pkg-openldap-devel mailing list