On 3/15/23 7:12 PM, Usha Nayak wrote:
Hello
Thank you both for your responses.
Forgive me but I do have few follow up questions:
In event say a machine (windows or Linux) have latest version of
sqlite ( system provided or say built manually ) , what needs to be
done for NSS to pick it up ?
Do we need to build NSS with certain option so it can link to the
machine’s SQLite ? In event there’s none on machine, I’m assuming NSS
will default to using it’s own SQLite?
The easiest way is to build with system_sqlite:
./builds.sh --system-sqlite {your other build options}
for ninja/gyp builds or
export NSS_USE_SYSTEM_SQLITE=1
gmake nss_build_all
gmake builds
it's possible you can just make sure your copy of sqlite is in your path
and remove the nss built one as well (I haven't tried it, but the only
thing that would prevent it from working is any .dll config difference
between the system shared library and the nss built one.
If you build with system-sqlite you'll need to have the system-sqlite
build environment installed at build time. If sqlite isn't on your
system, NSS would fail (the libraries are direct link, so the systems
loader will fail to load nss if it can't find a matching sqlite. You
could also use the system function to include your own sqlite. Go to
sqlite upstream and pull and build it yourself, the install the header
files. You can then build nss with the --system-sqlite and NSS would end
up using your own built sqlite.
bob
bob
FYI, We are planning on upgrading to NSS 3.88 and if I’m not mistaken
SQLite version that’s packaged up is 3.29
Thank you
On Wed, Mar 15, 2023 at 7:55 PM Martin Thomson <m...@mozilla.com> wrote:
Just to expand on what Bob said, we don't make any guarantees
about the version of sqlite that is in our tree. It exists only
to support standalone builds of NSS.
As a general rule, it will be out of date and can be vulnerable.
But the sqlite project has a history of excellent ABI
compatibility, so the latest version should work with NSS. If it
doesn't work, that might be worth flagging to us.
We also accept patches and would be happy to look at a patch that
updates our copy of sqlite if that works better for you.
On Thu, Mar 16, 2023 at 10:08 AM Robert Relyea
<rrel...@redhat.com> wrote:
On 3/15/23 8:39 AM, Usha Nayak wrote:
Hello,
We are building NSS and are packing it in our product. For
our application we use IAIK PKCS#11 wrapper to connect to NSS.
Following properties file contains information that's used by
iaik to connect to NSS :
image.png
We use following commands to create DB:
"NSS\bin\modutil.exe" -force -create -dbdir
sql:"%XXX%\data\NSS\db"
As far as I know we are using the sqllite lib that's packaged
in NSS3.88. Are there plans to upgrade it? If there are
security concerns, what cna we do to mitigate it ?
The image is missing, so a vital part of our question isn't
visible.
That being said, we usually update sqlite when we need to to
fix NSS issues, or if NSS needs to use more advanced sqlite
features.
Many users of NSS provide their own copy of sqlite (either
because they have their own copy as part of a larger
application... like firefox, or because sqlite is provided by
the os (like many Linux distributions). If you are concerned
with shipping or using the older version of sqlite3, you could
build our own from the sqlite3 project and use it.
bob
Any help greatly appreciated
Thanks.
--
You received this message because you are subscribed to the
Google Groups "dev-tech-crypto@mozilla.org"
<mailto:dev-tech-crypto@mozilla.org> group.
To unsubscribe from this group and stop receiving emails from
it, send an email to dev-tech-crypto+unsubscr...@mozilla.org.
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/88ae58f8-c4c2-4f91-aa85-eccc3c745d71n%40mozilla.org
<https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/88ae58f8-c4c2-4f91-aa85-eccc3c745d71n%40mozilla.org?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the
Google Groups "dev-tech-crypto@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from
it, send an email to dev-tech-crypto+unsubscr...@mozilla.org.
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/d868fcdb-cd3a-c49b-66af-00c389425b8e%40redhat.com
<https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/d868fcdb-cd3a-c49b-66af-00c389425b8e%40redhat.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google
Groups "dev-tech-crypto@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to dev-tech-crypto+unsubscr...@mozilla.org.
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/CAPLxc%3DV%2BGO24kXmaQGw1QCGx3ef4vE5r42ytHyoOrwC48ShnMg%40mail.gmail.com
<https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/CAPLxc%3DV%2BGO24kXmaQGw1QCGx3ef4vE5r42ytHyoOrwC48ShnMg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"dev-tech-crypto@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to dev-tech-crypto+unsubscr...@mozilla.org.
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/b161461c-bc3e-600f-8be8-c610d09c830c%40redhat.com.
