Le 10/01/19 à 19:03, David Woodhouse a écrit :
On Wed, 2019-01-09 at 14:04 -0500, Daniel Kahn Gillmor wrote:
On Wed 2019-01-09 16:39:36 +0100, Laurent Bigonville wrote:
So what is the status of this?
In RHEL 7 they made the switch to p11-kit and libnssckbi.so is an
alternative between the file shipped by nss and p11-kit-trust.so shipped
by p11-kit (with p11-kit version being the default).
Should we switch debian by default to p11-kit as well?
seems like the maintainers of p11-kit could unilaterally decide to
implement the diversion approach mentioned in
https://bugs.debian.org/704180 with a new binary package, if the nss
folks are reluctant to do it.
I'm cc'ing Andreas here to try to get some feedback -- is this something
that there's interest in for the p11-kit maintainers?
That would seem like an excellent way to do it.
However, am I right in thinking that we have multiple packages all
shipping their *own* special version of the NSS libraries, instead of
using the system one? Each instance of libnssckbi.so (in firefox,
thunderbird, etc.) would need to be replaced, wouldn't it?
If I'm searching for a file called libnssckbi.so in the archive, the
only other occurrence is in package libapache2-mod-nss.
Shouldn't it be better to use an alternative so a local admin can switch
back to the libnss3 version? When I discussed with Mike about bug
#820437 he didn't looked opposed to use p11-kit, see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820437#19
