Package: nss
Version: 2:3.35-2
Severity: normal
Hi,
I found this while trying to get chrony building against nss instead
of libtomcrypt.
After a while I realized that several libraries of nss are in a subdir
to the common load path.
And thereby not usable without special workrounds.
Those are:
/usr/lib/x86_64-linux-gnu/nss/libfreebl3.chk
/usr/lib/x86_64-linux-gnu/nss/libfreebl3.so
/usr/lib/x86_64-linux-gnu/nss/libfreeblpriv3.chk
/usr/lib/x86_64-linux-gnu/nss/libfreeblpriv3.so
/usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
/usr/lib/x86_64-linux-gnu/nss/libnssdbm3.chk
/usr/lib/x86_64-linux-gnu/nss/libnssdbm3.so
/usr/lib/x86_64-linux-gnu/nss/libsoftokn3.chk
/usr/lib/x86_64-linux-gnu/nss/libsoftokn3.so
Now I wondered as other projects (such as chrony) expect them to be
consumable "normally".
So I discussed with a few people and checked other distributions.
I happened to find that Fedora ships them in the path that I'd expect
(split into a few more binary packages):
$ dnf repoquery --installed -l nss-softokn-freebl nss-softokn | grep '.so$'
/usr/lib64/libfreebl3.so
/usr/lib64/libfreeblpriv3.so
/usr/lib64/libnssdbm3.so
/usr/lib64/libsoftokn3.so
There might be some history to this that I don't know of - and I beg
your pardon if that is the case.
But as it is I'd ask to get those .so's in a more usable place instead
of the ..../nss/ subdir.
I found that libnssckbi.so in Fedora has a redirect via
/etc/alternatives, but we don't have any of that. We only have private
versions of it in thunderbird (ok) and a link to it's current path in
libapache2-mod-nss (that would be an issue if we move). With so much
"specials" on libnssckbi.so I didn't touch it, but for the others the
following change would make them more consumable.
The following is a suggestion that worked for me in test builds, but
consider it RFC as I'm mostly interested in your opinion and maybe
insights in the history why it is done the way it is at the moment.
--- a/debian/rules
+++ b/debian/rules
@@ -135,15 +135,15 @@ manpage = $(addsuffix .1,$(addprefix nss/doc/nroff/,$(1)))
override_dh_auto_install: $(PREPROCESS_FILES:.in=)
install -m 755 -d
debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss
debian/libnss3-dev/usr/lib/$(DEB_HOST_MULTIARCH)/pkgconfig
install -m 644 -t debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH) \
+ $(DISTDIR)/lib/libfreebl3.so \
+ $(DISTDIR)/lib/libfreeblpriv3.so \
$(DISTDIR)/lib/libnss3.so \
+ $(DISTDIR)/lib/libnssdbm3.so \
$(DISTDIR)/lib/libnssutil3.so \
$(DISTDIR)/lib/libsmime3.so \
+ $(DISTDIR)/lib/libsoftokn3.so \
$(DISTDIR)/lib/libssl3.so
install -m 644 -t debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss \
- $(DISTDIR)/lib/libfreebl3.so \
- $(DISTDIR)/lib/libfreeblpriv3.so \
- $(DISTDIR)/lib/libsoftokn3.so \
- $(DISTDIR)/lib/libnssdbm3.so \
$(DISTDIR)/lib/libnssckbi.so
install -m 644 -t debian/libnss3-dev/usr/include/nss \
@@ -175,7 +175,7 @@ endif
override_dh_strip:
dh_strip -a --dbg-package=libnss3-dbg
$(foreach lib,libsoftokn3.so libfreebl3.so libfreeblpriv3.so
libnssdbm3.so, \
- $(call cmd,umask 022; $(SHLIBSIGN) -v -i
debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss/$(lib)))
+ $(call cmd,umask 022; $(SHLIBSIGN) -v -i
debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/$(lib)))
ifeq ($(DEB_HOST_ARCH),$(DEB_BUILD_ARCH))
# Check FIPS mode correctly works
--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
