On Fri 2019-01-11 08:09:02 +0000, David Woodhouse wrote: > Looking back, I see this bug was opened with the comment "With the > recent switch of wheezy-security's iceweasel to using the > embedded copy of nss..." > > That was 2014 though. Is it no longer the case?
i can confirm that it is no longer the case. I've got firefox and
thunderbird on a debian buster/side system and they do not ship
libnssckbi.so -- they appear to rely on the one in the libnss3 package.
> FWIW my Ubuntu 18.04 box does have separate instances of libnssckbi.so
> in /usr/lib/{thunderbird,firefox}/ (along with all the other NSS
> libraries, I believe).
that's interesting; i've got firefox (64.0-1) and firefox-esr
(60.4.0esr-1) and thunderbird (1:60.3.1-1) installed and this is dpkg's
full scan of the system for libnssckbi.so:
0 dkg@alice:~$ dpkg -S libnssckbi.so
libnss3:amd64: /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
0 dkg@alice:~$
> Perhaps the answer is that any separate instances of NSS should *not*
> ship their own libnssckbi.so and should use the system one. The
> interface there is entirely stable as it's PKCS#11, so there won't be
> compatibility problems (else p11-kit-trust couldn't work either).
sounds like a bug report to ubuntu is in order.
--dkg
signature.asc
Description: PGP signature
