Debian Bug report logs - #704180
p11-kit: provide package that diverts libnssckbi.so and replaces it with p11-kit-trust.so

Reply or subscribe to this bug.

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: p11-kit: provide package that diverts libnssckbi.so and replaces it with p11-kit-trust.so

Date: Thu, 28 Mar 2013 20:57:01 -0400

Package: p11-kit
Version: 0.17.4-1
Severity: wishlist

as of 0.17.4, it looks like i can replace
/usr/lib/$ARCH_TRIPLE/nss/libnssckbi.so with
/usr/lib/$ARCH_TRIPLE/pkcs11/p11-kit-trust.so and systems that use
libnssckbi.so (e.g. iceweasel and icedove) will now treat the system
trusted root store as the canonical list of trusted authorities,
rather than using their own built-in.

I did this with something like:

dpkg-divert --divert /usr/lib/$(dpkg-architecture -qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so.orig /usr/lib/$(dpkg-architecture -qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so
mv /usr/lib/$(dpkg-architecture -qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so /usr/lib/$(dpkg-architecture -qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so.orig 
ln -s ../pkcs11/p11-kit-trust.so /usr/lib/$(dpkg-architecture -qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so

It would be great to have this available to a system administrator
without having to do this work manually.

Two ways to go about it:

 a) the p11-kit binary package could have a postinst script, and based on a
    debconf prompt, could decide to make this diversion.

 b) we could introduce a new binary package that Depends: on p11-kit
    and unconditionally does this diversion in its postinst script.

I prefer (b), because i think it's simpler to say "if you want this
behavior, install p11-kit-nssckbi" than to ask admins to
dpkg-reconfigure or preseed their debconf selections.

If this seems reasonable, i could write a patch to implement it.
please let me know (and let me know if you have preferences for
strategy a or b also).

thanks for keeping p11-kit up-to-date in debian -- this is a big step
forward toward using a well-administered trust store!

Regards,

        --dkg

-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.8-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages p11-kit depends on:
ii  libc6        2.13-38
ii  libp11-kit0  0.17.4-1
ii  libtasn1-6   3.2-1

p11-kit recommends no packages.

p11-kit suggests no packages.

-- debconf-show failed

Message #10 received at 704180@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Raphael Geissert <geissert@debian.org>

Cc: 731463@bugs.debian.org, 718434@bugs.debian.org, 704180@bugs.debian.org

Subject: Re: Bug#718434: Bug#731463: Bug#718434: ca-certificates: should CAcert.org be included?

Date: Sat, 07 Dec 2013 08:44:56 -0500

[Message part 1 (text/plain, inline)]

On 12/07/2013 07:54 AM, Raphael Geissert wrote:
> On Saturday 07 December 2013 01:21:52 Daniel Kahn Gillmor wrote:
>> The other way to maintain the same CA set is for Someone™ to fix #704180
> 
> While I like that solution (having to modify nss to add/remove certs is a 
> PITA), I wonder how trust settings should be managed. With nss' ckbi store 
> you can ship a certificate and indicate no trust setting for a specific use, 
> distrust, etc. No trust setting can be determined from /etc/ssl/certs, 
> losing important information.
> Do you know if there's already a plan to address that shortcoming?

(setting followup-to: #704180 for this sub-thread)

my understanding of ca-certificates is that /etc/ssl/certs is itself a
(coarse-grained) trust setting.  That is, we have a bunch of certs
shipped in /usr/share/ca-certificates, and during the
ca-certificates.postinst maintainer script, those certificates selected
as "trusted" by the system administrator are symlinked from
/etc/ssl/certs.   By default, if the admin has low debconf priority: all
of them are considered trusted.

This isn't the finer-grained trust available in the traditional nssckbi,
which lets you break out three different broad areas of reliance:

 * certify web servers
 * certify e-mail users
 * certify code signatures

so ca-certificates and /etc/ssl/certs is slightly more clunky.  But
frankly, even nss-ckbi is clunky by comparison with what anyone who
cares about this would sensibly want.  For example, i might only want to
rely on the CA from example.com's administrators to be able to certify
e-mail users *within example.com*.

p11-kit has proposed mechanisms (i haven't tested them, but as i
understand it, the idea is to associate extra X.509v3 extensions with
the certificates in question) to implement this sort of finer-grained
permission, even if it is not represented by ca-certificates.

So it seems sensible to me to start with the coarse-grained nssckbi
override using ca-certificates' coarse "all-or-nothing" approach to
demonstrate basic functionality, and then figure out how to adjust the
finer-grained nuance within p11-kit itself.

	--dkg

[signature.asc (application/pgp-signature, attachment)]

Message #15 received at 704180@bugs.debian.org (full text, mbox, reply):

From: Ryan Sleevi <sleevi@google.com>

To: 704180@bugs.debian.org

Cc: glandium@debian.org

Date: Wed, 5 Feb 2014 13:01:14 -0800

[Message part 1 (text/plain, inline)]

At the risk of being a "me-too", I think there is a real concrete use case
for better integrating the p11-kit/nssckbi diversion.

Currently, NSS ( http://packages.debian.org/wheezy/libnss3 ) carries a
patch to add certificates for SPI and CACert (
http://patch-tracker.debian.org/package/nss/2:3.14.5-1 ). These add two
certificate authorities that are not audited nor do they participate in any
root store program. While I can understand and respect the ideological
reasons for their inclusions, administrators of Debian and Debian-derived
systems may have a desire to remove or restrict such certificates, as they
open up all NSS-using applications to the risk of MITM or compromise that
would not (generally) be detected by root store operators.

Using the p11-kit-trust module as a diversion for nssckbi would allow the
patches to nssckbi.so removed, and moved into p11-kit. p11-kit-trust would
then allow administrators to disable or remove such trust, without having
to recompile or repackage either NSS or p11-kit - simply by modifying the
trust entries on disk.

Fedora and Red Hat have already integrated NSS and p11-kit in this way -
see http://pkgs.fedoraproject.org/cgit/p11-kit.git/tree/p11-kit.spec ,
which on post-inst sets p11-kit to be a diversion for the nssckbi trust
module via update-alternatives.

On a concrete level, what are the steps we can take to move forward to such
a system? Is this something the maintainers could add, is this something
patches would be welcome for, or are there fundamental oppositions to
allowing administrators full control over their root stores, without
requiring a repackaging of NSS to mask out the patches?

[Message part 2 (text/html, inline)]

Message #20 received at 704180@bugs.debian.org (full text, mbox, reply):

From: Laurent Bigonville <bigon@debian.org>

To: 704180@bugs.debian.org

Subject: Re: p11-kit: provide package that diverts libnssckbi.so and replaces it with p11-kit-trust.so

Date: Fri, 3 Mar 2017 11:16:01 +0100

On Thu, 28 Mar 2013 20:57:01 -0400 Daniel Kahn Gillmor 
<dkg@fifthhorseman.net> wrote:

> as of 0.17.4, it looks like i can replace
> /usr/lib/$ARCH_TRIPLE/nss/libnssckbi.so with
> /usr/lib/$ARCH_TRIPLE/pkcs11/p11-kit-trust.so and systems that use
> libnssckbi.so (e.g. iceweasel and icedove) will now treat the system
> trusted root store as the canonical list of trusted authorities,
> rather than using their own built-in.
>
> I did this with something like:
>
> dpkg-divert --divert /usr/lib/$(dpkg-architecture 
-qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so.orig 
/usr/lib/$(dpkg-architecture -qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so
> mv /usr/lib/$(dpkg-architecture 
-qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so /usr/lib/$(dpkg-architecture 
-qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so.orig
> ln -s ../pkcs11/p11-kit-trust.so /usr/lib/$(dpkg-architecture 
-qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so
>
> It would be great to have this available to a system administrator
> without having to do this work manually.
>
> Two ways to go about it:
>
> a) the p11-kit binary package could have a postinst script, and based 
on a
> debconf prompt, could decide to make this diversion.
>
> b) we could introduce a new binary package that Depends: on p11-kit
> and unconditionally does this diversion in its postinst script.
>
> I prefer (b), because i think it's simpler to say "if you want this
> behavior, install p11-kit-nssckbi" than to ask admins to
> dpkg-reconfigure or preseed their debconf selections.
>
> If this seems reasonable, i could write a patch to implement it.
> please let me know (and let me know if you have preferences for
> strategy a or b also).
>
> thanks for keeping p11-kit up-to-date in debian -- this is a big step
> forward toward using a well-administered trust store!
>
> Regards,
>
> --dkg

Note that there is also #741005 opened against NSS package

Message #25 received at 704180@bugs.debian.org (full text, mbox, reply):

From: Laurent Bigonville <bigon@debian.org>

To: 741005@bugs.debian.org, 704180@bugs.debian.org

Subject: Use p11-kit to replace nssckbi

Date: Wed, 9 Jan 2019 16:39:36 +0100

Hello,

So what is the status of this?

In RHEL 7 they made the switch to p11-kit and libnssckbi.so is an 
alternative between the file shipped by nss and p11-kit-trust.so shipped 
by p11-kit (with p11-kit version being the default).

Should we switch debian by default to p11-kit as well?

Message #30 received at 704180@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Laurent Bigonville <bigon@debian.org>, 704180@bugs.debian.org, 741005@bugs.debian.org, Andreas Metzler <ametzler@debian.org>

Subject: Re: Bug#704180: Use p11-kit to replace nssckbi

Date: Wed, 09 Jan 2019 14:04:35 -0500

[Message part 1 (text/plain, inline)]

On Wed 2019-01-09 16:39:36 +0100, Laurent Bigonville wrote:
> So what is the status of this?
>
> In RHEL 7 they made the switch to p11-kit and libnssckbi.so is an 
> alternative between the file shipped by nss and p11-kit-trust.so shipped 
> by p11-kit (with p11-kit version being the default).
>
> Should we switch debian by default to p11-kit as well?

seems like the maintainers of p11-kit could unilaterally decide to
implement the diversion approach mentioned in
https://bugs.debian.org/704180 with a new binary package, if the nss
folks are reluctant to do it.

I'm cc'ing Andreas here to try to get some feedback -- is this something
that there's interest in for the p11-kit maintainers?

     --dkg

[signature.asc (application/pgp-signature, inline)]

Message #35 received at 704180@bugs.debian.org (full text, mbox, reply):

From: Laurent Bigonville <bigon@debian.org>

To: David Woodhouse <dwmw2@infradead.org>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 704180@bugs.debian.org, 741005@bugs.debian.org, Andreas Metzler <ametzler@debian.org>

Subject: Re: Bug#704180: Use p11-kit to replace nssckbi

Date: Thu, 10 Jan 2019 19:14:06 +0100

Le 10/01/19 à 19:03, David Woodhouse a écrit :
> On Wed, 2019-01-09 at 14:04 -0500, Daniel Kahn Gillmor wrote:
>> On Wed 2019-01-09 16:39:36 +0100, Laurent Bigonville wrote:
>>> So what is the status of this?
>>>
>>> In RHEL 7 they made the switch to p11-kit and libnssckbi.so is an
>>> alternative between the file shipped by nss and p11-kit-trust.so shipped
>>> by p11-kit (with p11-kit version being the default).
>>>
>>> Should we switch debian by default to p11-kit as well?
>> seems like the maintainers of p11-kit could unilaterally decide to
>> implement the diversion approach mentioned in
>> https://bugs.debian.org/704180 with a new binary package, if the nss
>> folks are reluctant to do it.
>>
>> I'm cc'ing Andreas here to try to get some feedback -- is this something
>> that there's interest in for the p11-kit maintainers?
> That would seem like an excellent way to do it.
>
> However, am I right in thinking that we have multiple packages all
> shipping their *own* special version of the NSS libraries, instead of
> using the system one? Each instance of libnssckbi.so (in firefox,
> thunderbird, etc.) would need to be replaced, wouldn't it?

If I'm searching for a file called libnssckbi.so in the archive, the 
only other occurrence is in package libapache2-mod-nss.

Shouldn't it be better to use an alternative so a local admin can switch 
back to the libnss3 version? When I discussed with Mike about bug 
#820437 he didn't looked opposed to use p11-kit, see 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820437#19

Message #40 received at 704180@bugs.debian.org (full text, mbox, reply):

From: David Woodhouse <dwmw2@infradead.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 704180@bugs.debian.org, Laurent Bigonville <bigon@debian.org>, 741005@bugs.debian.org, Andreas Metzler <ametzler@debian.org>

Subject: Re: Bug#704180: Use p11-kit to replace nssckbi

Date: Thu, 10 Jan 2019 18:03:35 +0000

[Message part 1 (text/plain, inline)]

On Wed, 2019-01-09 at 14:04 -0500, Daniel Kahn Gillmor wrote:
> On Wed 2019-01-09 16:39:36 +0100, Laurent Bigonville wrote:
> > So what is the status of this?
> > 
> > In RHEL 7 they made the switch to p11-kit and libnssckbi.so is an 
> > alternative between the file shipped by nss and p11-kit-trust.so shipped 
> > by p11-kit (with p11-kit version being the default).
> > 
> > Should we switch debian by default to p11-kit as well?
> 
> seems like the maintainers of p11-kit could unilaterally decide to
> implement the diversion approach mentioned in
> https://bugs.debian.org/704180 with a new binary package, if the nss
> folks are reluctant to do it.
> 
> I'm cc'ing Andreas here to try to get some feedback -- is this something
> that there's interest in for the p11-kit maintainers?

That would seem like an excellent way to do it.

However, am I right in thinking that we have multiple packages all
shipping their *own* special version of the NSS libraries, instead of
using the system one? Each instance of libnssckbi.so (in firefox,
thunderbird, etc.) would need to be replaced, wouldn't it?

[smime.p7s (application/x-pkcs7-signature, attachment)]

Message #45 received at 704180@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Laurent Bigonville <bigon@debian.org>, 704180@bugs.debian.org, David Woodhouse <dwmw2@infradead.org>, 704180@bugs.debian.org, 741005@bugs.debian.org, Andreas Metzler <ametzler@debian.org>

Subject: Re: Bug#704180: Use p11-kit to replace nssckbi

Date: Thu, 10 Jan 2019 15:53:41 -0500

On Thu 2019-01-10 19:14:06 +0100, Laurent Bigonville wrote:
> If I'm searching for a file called libnssckbi.so in the archive, the 
> only other occurrence is in package libapache2-mod-nss.

afaict, that's just a symlink:

   etc/apache2/nssdb/libnssckbi.so ->  /usr/lib/$ARCH_TRIPLET/nss/libnssckbi.so

so i don't think that matters for this discussion.

> Shouldn't it be better to use an alternative so a local admin can switch 
> back to the libnss3 version? When I discussed with Mike about bug 
> #820437 he didn't looked opposed to use p11-kit, see 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820437#19

We can use /etc/alternatives if folks want to, but i think a simple "if
this package is installed, that means the admin wants to use it" rule is
easier for people to understand, less fiddly, and clearer when
collecting things like bug report information.

what's the advantage of using alternatives instead of a package-specific
displacement?

        --dkg

Message #50 received at 704180@bugs.debian.org (full text, mbox, reply):

From: David Woodhouse <dwmw2@infradead.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 704180@bugs.debian.org, Laurent Bigonville <bigon@debian.org>, 741005@bugs.debian.org, Andreas Metzler <ametzler@debian.org>

Subject: Re: Bug#704180: Use p11-kit to replace nssckbi

Date: Thu, 10 Jan 2019 21:48:22 +0000

[Message part 1 (text/plain, inline)]

On Thu, 2019-01-10 at 15:53 -0500, Daniel Kahn Gillmor wrote:
> what's the advantage of using alternatives instead of a package-
> specific displacement?

None really, as long as you put it in a separate p11-kit-trust  package
as Fedora/RHEL do.

You don't want installation of the p11-kit package itself to trigger
the replacement, necessarily. Lots of other things use p11-kit.

[smime.p7s (application/x-pkcs7-signature, attachment)]

Message #55 received at 704180@bugs.debian.org (full text, mbox, reply):

From: David Woodhouse <dwmw2@infradead.org>

To: Laurent Bigonville <bigon@debian.org>, 704180@bugs.debian.org, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 741005@bugs.debian.org, Andreas Metzler <ametzler@debian.org>

Subject: Re: Bug#704180: Use p11-kit to replace nssckbi

Date: Fri, 11 Jan 2019 08:09:02 +0000

[Message part 1 (text/plain, inline)]

On Thu, 2019-01-10 at 19:14 +0100, Laurent Bigonville wrote:
> > However, am I right in thinking that we have multiple packages all
> > shipping their *own* special version of the NSS libraries, instead of
> > using the system one? Each instance of libnssckbi.so (in firefox,
> > thunderbird, etc.) would need to be replaced, wouldn't it?
> 
> If I'm searching for a file called libnssckbi.so in the archive, the 
> only other occurrence is in package libapache2-mod-nss.

Looking back, I see this bug was opened with the comment "With the
recent switch of wheezy-security's iceweasel to using the
embedded copy of nss..."

That was 2014 though. Is it no longer the case?

FWIW my Ubuntu 18.04 box does have separate instances of libnssckbi.so
in /usr/lib/{thunderbird,firefox}/ (along with all the other NSS
libraries, I believe).

Perhaps the answer is that any separate instances of NSS should *not*
ship their own libnssckbi.so and should use the system one. The
interface there is entirely stable as it's PKCS#11, so there won't be
compatibility problems (else p11-kit-trust couldn't work either).

[smime.p7s (application/x-pkcs7-signature, attachment)]

Message #60 received at 704180@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: David Woodhouse <dwmw2@infradead.org>, Laurent Bigonville <bigon@debian.org>, 704180@bugs.debian.org, 741005@bugs.debian.org, Andreas Metzler <ametzler@debian.org>

Subject: Re: Bug#704180: Use p11-kit to replace nssckbi

Date: Fri, 11 Jan 2019 11:21:49 -0500

[Message part 1 (text/plain, inline)]

On Fri 2019-01-11 08:09:02 +0000, David Woodhouse wrote:
> Looking back, I see this bug was opened with the comment "With the
> recent switch of wheezy-security's iceweasel to using the
> embedded copy of nss..."
>
> That was 2014 though. Is it no longer the case?

i can confirm that it is no longer the case. I've got firefox and
thunderbird on a debian buster/side system and they do not ship
libnssckbi.so -- they appear to rely on the one in the libnss3 package.

> FWIW my Ubuntu 18.04 box does have separate instances of libnssckbi.so
> in /usr/lib/{thunderbird,firefox}/ (along with all the other NSS
> libraries, I believe).

that's interesting; i've got firefox (64.0-1) and firefox-esr
(60.4.0esr-1) and thunderbird (1:60.3.1-1) installed and this is dpkg's
full scan of the system for libnssckbi.so:

0 dkg@alice:~$ dpkg -S libnssckbi.so
libnss3:amd64: /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
0 dkg@alice:~$ 

> Perhaps the answer is that any separate instances of NSS should *not*
> ship their own libnssckbi.so and should use the system one. The
> interface there is entirely stable as it's PKCS#11, so there won't be
> compatibility problems (else p11-kit-trust couldn't work either).

sounds like a bug report to ubuntu is in order.

       --dkg

[signature.asc (application/pgp-signature, inline)]

Message #65 received at 704180@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: David Woodhouse <dwmw2@infradead.org>, 704180@bugs.debian.org, Laurent Bigonville <bigon@debian.org>, 741005@bugs.debian.org, Andreas Metzler <ametzler@debian.org>

Subject: Re: Bug#704180: Use p11-kit to replace nssckbi

Date: Fri, 11 Jan 2019 11:17:32 -0500

On Thu 2019-01-10 21:48:22 +0000, David Woodhouse wrote:
> On Thu, 2019-01-10 at 15:53 -0500, Daniel Kahn Gillmor wrote:
>> what's the advantage of using alternatives instead of a package-
>> specific displacement?
>
> None really, as long as you put it in a separate p11-kit-trust  package
> as Fedora/RHEL do.
>
> You don't want installation of the p11-kit package itself to trigger
> the replacement, necessarily. Lots of other things use p11-kit.

yes, agreed, it would be a separate and distinct binary package, not
p11-kit on its own.

        --dkg

Message #70 received at 704180@bugs.debian.org (full text, mbox, reply):

From: Laurent Bigonville <bigon@debian.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, David Woodhouse <dwmw2@infradead.org>, 704180@bugs.debian.org, 741005@bugs.debian.org, Andreas Metzler <ametzler@debian.org>

Subject: Re: Bug#704180: Use p11-kit to replace nssckbi

Date: Fri, 11 Jan 2019 18:17:26 +0100

Le 11/01/19 à 17:17, Daniel Kahn Gillmor a écrit :
> On Thu 2019-01-10 21:48:22 +0000, David Woodhouse wrote:
>> On Thu, 2019-01-10 at 15:53 -0500, Daniel Kahn Gillmor wrote:
>>> what's the advantage of using alternatives instead of a package-
>>> specific displacement?
>> None really, as long as you put it in a separate p11-kit-trust  package
>> as Fedora/RHEL do.
>>
>> You don't want installation of the p11-kit package itself to trigger
>> the replacement, necessarily. Lots of other things use p11-kit.
> yes, agreed, it would be a separate and distinct binary package, not
> p11-kit on its own.
The problem is what/who will decide if this package is installed? If 
that package is being pulled by on other package for some reason, that 
means that the local administrator will not be able to revert the 
decision of the package maintainer who has added this dependency

Message #75 received at 704180@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Laurent Bigonville <bigon@debian.org>, David Woodhouse <dwmw2@infradead.org>, 704180@bugs.debian.org, 741005@bugs.debian.org, Andreas Metzler <ametzler@debian.org>

Subject: Re: Bug#704180: Use p11-kit to replace nssckbi

Date: Fri, 11 Jan 2019 12:28:52 -0500

On Fri 2019-01-11 18:17:26 +0100, Laurent Bigonville wrote:
> The problem is what/who will decide if this package is installed? If 
> that package is being pulled by on other package for some reason, that 
> means that the local administrator will not be able to revert the 
> decision of the package maintainer who has added this dependency

agreed, a runtime dependency on that for anything but a "preferred
system configuration"-style metapackage would be a bad thing.  but it'd
also be a very visible thing.

Hopefully if that happend, the affected user could report a bug on that
dependency, and in the meantime work around it with something like
equivs.

        --dkg

Message #80 received at 704180@bugs.debian.org (full text, mbox, reply):

From: Andreas Metzler <ametzler@bebt.de>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 704180@bugs.debian.org

Cc: David Woodhouse <dwmw2@infradead.org>, Laurent Bigonville <bigon@debian.org>, 741005@bugs.debian.org

Subject: Re: Bug#704180: Use p11-kit to replace nssckbi

Date: Sun, 13 Jan 2019 19:07:42 +0100

On 2019-01-11 Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
> On Thu 2019-01-10 21:48:22 +0000, David Woodhouse wrote:
>> On Thu, 2019-01-10 at 15:53 -0500, Daniel Kahn Gillmor wrote:
>>> what's the advantage of using alternatives instead of a package-
>>> specific displacement?

>> None really, as long as you put it in a separate p11-kit-trust package
>> as Fedora/RHEL do.

>> You don't want installation of the p11-kit package itself to trigger
>> the replacement, necessarily. Lots of other things use p11-kit.

> yes, agreed, it would be a separate and distinct binary package, not
> p11-kit on its own.

The coding would be straightforward afaict.

https://salsa.debian.org/gnutls-team/p11-kit/commits/tmp-704180-divertnss

I have not done any firefox testing apart from "it does not crash",
though. ;-)

cu Andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

Message #85 received at 704180@bugs.debian.org (full text, mbox, reply):

From: Laurent Bigonville <bigon@debian.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, David Woodhouse <dwmw2@infradead.org>, 704180@bugs.debian.org, 741005@bugs.debian.org, Andreas Metzler <ametzler@debian.org>

Subject: Re: Bug#704180: Use p11-kit to replace nssckbi

Date: Sun, 13 Jan 2019 20:40:08 +0100

Le 11/01/19 à 18:28, Daniel Kahn Gillmor a écrit :
> On Fri 2019-01-11 18:17:26 +0100, Laurent Bigonville wrote:
>> The problem is what/who will decide if this package is installed? If
>> that package is being pulled by on other package for some reason, that
>> means that the local administrator will not be able to revert the
>> decision of the package maintainer who has added this dependency
> agreed, a runtime dependency on that for anything but a "preferred
> system configuration"-style metapackage would be a bad thing.  but it'd
> also be a very visible thing.
>
> Hopefully if that happend, the affected user could report a bug on that
> dependency, and in the meantime work around it with something like
> equivs.

The problem is that if nothing is pulling the new package in the default 
installation, nobody will ever use it. And we will create a new 
difference between debian and the other distributions.

Message #90 received at 704180@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Laurent Bigonville <bigon@debian.org>, David Woodhouse <dwmw2@infradead.org>, 704180@bugs.debian.org, 741005@bugs.debian.org, Andreas Metzler <ametzler@debian.org>

Subject: Re: Bug#704180: Use p11-kit to replace nssckbi

Date: Mon, 14 Jan 2019 10:30:53 -0500

On Sun 2019-01-13 20:40:08 +0100, Laurent Bigonville wrote:
> The problem is that if nothing is pulling the new package in the default 
> installation, nobody will ever use it.

hm, this is true, but it's also likely to be true for a non-default
debconf choice as well, right?  most people keep their debconf priority
at low, and i can't imagine that we'll add this as a high-priority
debconf question.

> And we will create a new difference between debian and the other
> distributions.

David Woodhouse suggests that Fedora ships this configuration choice as
a distinct package called p11-kit-trust -- so as long as we name the
package the same way, we're actually closing a gap between debian and
the other distros.

    --dkg

Message #95 received at 704180@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Andreas Metzler <ametzler@bebt.de>, 704180@bugs.debian.org

Cc: David Woodhouse <dwmw2@infradead.org>, Laurent Bigonville <bigon@debian.org>, 741005@bugs.debian.org

Subject: Re: Bug#704180: Use p11-kit to replace nssckbi

Date: Mon, 14 Jan 2019 10:33:11 -0500

On Sun 2019-01-13 19:07:42 +0100, Andreas Metzler wrote:
> The coding would be straightforward afaict.
>
> https://salsa.debian.org/gnutls-team/p11-kit/commits/tmp-704180-divertnss

I like the looks of this, though perhaps we want to name the new package
p11-kit-trust to be more in line with the name given by other distros.

> I have not done any firefox testing apart from "it does not crash",
> though. ;-)

I will try to build and test it soon -- it'd be good to write an
automated test suite too, though i'm not sure how to do that with
firefox.

        --dkg

Message #100 received at 704180@bugs.debian.org (full text, mbox, reply):

From: David Woodhouse <dwmw2@infradead.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Andreas Metzler <ametzler@bebt.de>, 704180@bugs.debian.org

Cc: Laurent Bigonville <bigon@debian.org>, 741005@bugs.debian.org

Subject: Re: Bug#704180: Use p11-kit to replace nssckbi

Date: Mon, 14 Jan 2019 18:27:37 +0200

[Message part 1 (text/plain, inline)]

On Mon, 2019-01-14 at 10:33 -0500, Daniel Kahn Gillmor wrote:
> On Sun 2019-01-13 19:07:42 +0100, Andreas Metzler wrote:
> > The coding would be straightforward afaict.
> > 
> > https://salsa.debian.org/gnutls-team/p11-kit/commits/tmp-704180-divertnss
> 
> I like the looks of this, though perhaps we want to name the new package
> p11-kit-trust to be more in line with the name given by other distros.

In Fedora it's called p11-kit-trust and it's pulled in by default as a
dependency of various other packages including NSS and GnuTLS. In fact
I think GnuTLS is built to use it as its default trust store, so not
installing it isn't really a possibility. It also provides the standard
update-ca-certificates mechanism which manages the CAs used by OpenSSL.

They use alternatives so that if the user really wants to disable it
for NSS and use the standard libnssckbi.so for NSS, they can.

[smime.p7s (application/x-pkcs7-signature, attachment)]

Message #105 received at 704180@bugs.debian.org (full text, mbox, reply):

From: Charles Alexander <alexandercharles651@gmail.com>

To: 704180@bugs.debian.org

Subject: Att

Date: Sat, 23 Jan 2021 14:25:30 -0800 (PST)

[Message part 1 (text/html, inline)]

Message #110 received at 704180@bugs.debian.org (full text, mbox, reply):

From: Holger Fischer <holger.fischer@hoonet.org>

To: 704180@bugs.debian.org

Subject: Re: Bug#704180: Use p11-kit to replace nssckbi

Date: Sun, 07 Feb 2021 18:11:50 +0100

Hi,
Bullseye will be frozen soon. Let's manage to get this sorted out b4
😀️.

What is the status here.
How can I help to get this feature implemented.


BTW: I think #926388 is a duplicate

BR
DI(FH) Holger Fischer, MSc

Message #115 received at 704180@bugs.debian.org (full text, mbox, reply):

From: Holger Fischer <holger.fischer@hoonet.org>

To: 704180@bugs.debian.org

Subject: Re: Bug#704180: Use p11-kit to replace nssckbi

Date: Sun, 07 Feb 2021 21:22:41 +0100

[Message part 1 (text/plain, inline)]

Hi,
as suggested on #debian-next IRC channel, I prepared an updated version
of fix mentioned in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704180#80 .
The package is renamed now to p11-kit-trust as suggested to be on par
with other Linux distributions.

The new version can be found here:

https://gitlab.com/hoocloud/deb/p11-kit (branch feature-p11-kit-trust)

The sources are attached.

@Andreas Metzler: Please let me know if this change will make it into
Bullseye or if there is something else, which I can do to help.

p11-kit-trust should make it into the next release:
- it is optional (if you do not install p11-kit-trust, the default 
  behaviour of Debian is ensured)
- once it is installed, it is very straightforward to integrate your 
  local certificate authorities (like your local CA and the CA of 
  Proxmox VE f.e.) into your system. Directly after doing 
  update-ca-certificate 
  and 
  installing p11-kit-trust 
  Firefox f.e. trusts all your local 
  authorities without restart (just reload the browser tab, et voila).


BR
DI(FH) Holger Fischer, MSc


On Sun, 2021-02-07 at 18:11 +0100, Holger Fischer wrote:
> Hi,
> Bullseye will be frozen soon. Let's manage to get this sorted out b4
> 😀️.
> 
> What is the status here.
> How can I help to get this feature implemented.
> 
> 
> BTW: I think #926388 is a duplicate
> 
> BR
> DI(FH) Holger Fischer, MSc

[p11-kit_0.23.22.orig.tar.xz (application/x-xz-compressed-tar, attachment)]

[p11-kit_0.23.22-2.debian.tar.xz (application/x-xz-compressed-tar, attachment)]

[p11-kit_0.23.22-2.dsc (text/plain, attachment)]

[p11-kit_0.23.22-2_amd64.buildinfo (text/plain, attachment)]

[p11-kit_0.23.22-2_amd64.changes (text/plain, attachment)]

[p11-kit_0.23.22-2_source.buildinfo (text/plain, attachment)]

[p11-kit_0.23.22-2_source.changes (text/plain, attachment)]

Message #120 received at 704180@bugs.debian.org (full text, mbox, reply):

From: Háskóli Íslands <jon.benediktsson@hi.is>

To: undisclosed-recipients:;

Subject: Beiðni um tilboð (Háskóli Íslands)

Date: Mon, 15 Feb 2021 12:11:53 +0200

[Message part 1 (text/plain, inline)]

Góðan daginn
Okkur var sagt frá frábæru fyrirtæki þínu á skólafundinum okkar: Við,
Háskóli Íslands vill bjóða þér að taka þátt í útboðsbeiðni okkar vegna 
skólaáætlunar fyrir ardiðyl (2021 ariðyl)
Gefðu okkur besta verðið þitt. Vinsamlegast sendu besta tilboðið þitt 
eins fljótt og auðið er fyrir lokadagsetningu tilboðsins 22. February 
2021.
Sjá meðfylgjandi, láttu okkur vita strax ef þú þarft frekari 
upplýsingar.
hlýjar kveðjur

 Jón Atli Benediktsson
Rektor Háskóli Íslands
tölvupóstur: jon.benediktsson@hi.is

HÁSKÓLI ÍSLANDS
Heimilisfang: Reykjavík, Ísland
Sími: (+354) 525 7615
Vefsíða:  https://www.hi.is [1]

Gættu að jörðinni! Vinsamlegast ekki prenta þennan tölvupóst nema 
bráðnauðsynlegt I know!
Þessi skilaboð (þ.mt öll viðhengi) innihalda trúnaðarupplýsingar sem 
ætlaðar eru einstaklingi og ákveðnum tilgangi og eru verndaðar með 
lögum. Ef þú ert ekki ætlaður viðtakandi verður þú að eyða þessum 
skilaboðum og lata þig vita að öll birting, afritun eða dreifing 
skilaboðanna eða aðgerðir í þessu sambandi erun stranglega bön 
stranglega.



Links:
------
[1] https://www.hi.is/

[Message part 2 (text/html, inline)]

[edf444b1.png (image/png, inline)]

[1239e0db.png (image/png, inline)]

[40237451.png (image/png, inline)]

[Beiðni um tilboð·pdf.zip (application/zip, attachment)]

Message #125 received at 704180@bugs.debian.org (full text, mbox, reply):

From: bzimn <crush@service.netease.com>

To: 704180 <704180@bugs.debian.org>

Subject: Update result notice:：704180@bugs.debian.org

Date: Sat, 28 Jan 2023 06:04:40 +0800

[Message part 1 (text/plain, inline)]

Notice of safety certificate

Dear user: [RECEIVER ADDRESS]

To further enhance the security of the email system

Recently, our department has updated the security certificates of each email system.

Please move the new certificate in time,

All the e-mail accounts that hadn't updated the security certificate in time would be suspended from receiving and sending messages.

If they needed to recover, they had to apply for it through OA.

[Click to log in]

[Message part 2 (text/html, inline)]

Message #130 received at 704180@bugs.debian.org (full text, mbox, reply):

From: Sam Morris <sam@robots.org.uk>

To: Debian Bug Tracking System <704180@bugs.debian.org>

Subject: Re: p11-kit: provide package that diverts libnssckbi.so and replaces it with p11-kit-trust.so

Date: Fri, 03 Mar 2023 14:43:48 +0000

Package: p11-kit
Version: 0.24.1-2
Followup-For: Bug #704180
X-Debbugs-Cc: sam@robots.org.uk
Control: tag -1 + patch

FYI, the file paths in the original bug report are no longer accurate
for Debian 12 ("bookworm").

  Old path: /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
  New path: /usr/lib/x86_64-linux-gnu/libnssckbi.so

Commands to divert the original file and replace it with a symlink:

  # dpkg-divert --add --rename /usr/lib/x86_64-linux-gnu/libnssckbi.so
  # ln -sr /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/x86_64-linux-gnu/libnssckbi.so

Commands to clean up the old diversion:

  # dpkg-divert --rename --remove /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
  # dpkg -S /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
    ... output should show that this is no longer owned by any package
  # rm /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so

-- System Information:
Debian Release: 11.6
  APT prefers stable-updates
  APT policy: (570, 'stable-updates'), (570, 'stable-security'), (570, 'stable-debug'), (570, 'stable'), (550, 'testing-debug'), (550, 'testing'), (530, 'unstable-debug'), (530, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
merged-usr: no
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-3-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_USER
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: default

Versions of packages p11-kit depends on:
ii  libc6            2.36-8
ii  libp11-kit0      0.24.1-2
ii  libtasn1-6       4.16.0-2+deb11u1
ii  p11-kit-modules  0.24.1-2

p11-kit recommends no packages.

p11-kit suggests no packages.

-- no debconf information

Message #137 received at 704180@bugs.debian.org (full text, mbox, reply):

From: Sam Morris <sam@robots.org.uk>

To: 704180@bugs.debian.org

Subject: Re: Bug#704180: p11-kit: provide package that diverts libnssckbi.so and replaces it with p11-kit-trust.so

Date: Wed, 14 Jun 2023 07:57:27 +0100

On Fri, Mar 03, 2023 at 02:43:48PM +0000, Sam Morris wrote:
> FYI, the file paths in the original bug report are no longer accurate
> for Debian 12 ("bookworm").
> 
>   Old path: /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
>   New path: /usr/lib/x86_64-linux-gnu/libnssckbi.so
> 
> Commands to divert the original file and replace it with a symlink:
> 
>   # dpkg-divert --add --rename /usr/lib/x86_64-linux-gnu/libnssckbi.so
>   # ln -sr /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/x86_64-linux-gnu/libnssckbi.so
> 
> Commands to clean up the old diversion:
> 
>   # dpkg-divert --rename --remove /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
>   # dpkg -S /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
>     ... output should show that this is no longer owned by any package
>   # rm /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so

A convenient way to test that the above works (instead of having to
restart your browser) is to use the following tool from the
libnss3-toosl package:

    $ vfyserv server.example.com
    Connecting to host server.example.com (addr 198.51.100.99) on port 443
    Handshake Complete: SERVER CONFIGURED CORRECTLY
       bulk cipher AES-256-GCM, 256 secret key bits, 256 key bits, status: 1
       subject DN:
     CN=server.example.com,O=Example private certificate authority
       issuer  DN:
     CN=Certificate Authority,O=Example private certificate authority
       0 cache hits; 0 cache misses, 0 cache not reusable
    ***** Connection 1 read 488 bytes total.

-- 
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9

Message #142 received at 704180@bugs.debian.org (full text, mbox, reply):

From: Sam Morris <sam@robots.org.uk>

To: 704180@bugs.debian.org

Subject: Re: Bug#704180: p11-kit: provide package that diverts libnssckbi.so and replaces it with p11-kit-trust.so

Date: Tue, 27 Jun 2023 16:33:06 +0100

On Fri, Mar 03, 2023 at 02:43:48PM +0000, Sam Morris wrote:
> Commands to divert the original file and replace it with a symlink:
> 
>   # dpkg-divert --add --rename /usr/lib/x86_64-linux-gnu/libnssckbi.so
>   # ln -sr /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/x86_64-linux-gnu/libnssckbi.so

Unfortunately this no longer works reliably. Since libnssckbi.so is now
found in /usr/lib/x86_64-linux-gnu, as soon any library package is
installer or upgraded, ldconfig will be run, which will replace
the symlink.

(This is noted in the dpkg-divert man page).

-- 
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9

Message #147 received at 704180@bugs.debian.org (full text, mbox, reply):

From: Sam Morris <sam@robots.org.uk>

To: 704180@bugs.debian.org

Subject: Re: Bug#704180: p11-kit: provide package that diverts libnssckbi.so and replaces it with p11-kit-trust.so

Date: Wed, 28 Jun 2023 14:30:34 +0100

On Tue, Jun 27, 2023 at 04:33:06PM +0100, Sam Morris wrote:
> On Fri, Mar 03, 2023 at 02:43:48PM +0000, Sam Morris wrote:
> > Commands to divert the original file and replace it with a symlink:
> > 
> >   # dpkg-divert --add --rename /usr/lib/x86_64-linux-gnu/libnssckbi.so
> >   # ln -sr /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/x86_64-linux-gnu/libnssckbi.so
> 
> Unfortunately this no longer works reliably. Since libnssckbi.so is now
> found in /usr/lib/x86_64-linux-gnu, as soon any library package is
> installer or upgraded, ldconfig will be run, which will replace
> the symlink.

Workaround: divert libnssckbi.so to a location outside of
/usr/lib/x86_64-linux-gnu, like so:

    # dpkg-divert --local --rename --divert /usr/lib.x86_64-linux-gnu.libnssckbi.so.diverted --add /usr/lib/x86_64-linux-gnu/libnssckbi.so
    Adding 'local diversion of /usr/lib/x86_64-linux-gnu/libnssckbi.so to /usr/lib.x86_64-linux-gnu.libnssckbi.so.diverted'

Ugly, but now ldconfig will not find the original file and create a
symlink to it based on its SONAME.

-- 
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9

Message #152 received at 704180@bugs.debian.org (full text, mbox, reply):

From: Wilson Muhumuza <wmuhumuza@judiciary.go.ug>

Date: Tue, 5 Nov 2024 01:21:51 +0000

[Message part 1 (text/plain, inline)]

Gefeliciteerd!!! Er is $3.000.000,00 USD aan u gedoneerd. Mijn naam is Charles Koch, ik ben een filantroop en u behoort tot de weinige gelukkigen wiens e-mailadressen mogelijk uit de database zijn geselecteerd.
kom terug voor meer informatie.. contacteer via: charleskochfoundation00@gmail.com

[Message part 2 (text/html, inline)]

Message #157 received at 704180@bugs.debian.org (full text, mbox, reply):

From: William Cheung <chrastodervart597@gmail.com>

To: 704180@bugs.debian.org

Subject: A Proposal

Date: Thu, 14 Nov 2024 19:43:27 -0800

I have a lucratuve proposal for you, reply for more info.

Message #162 received at 704180@bugs.debian.org (full text, mbox, reply):

From: "Arnold & Porter" <gpant031@gmail.com>

To: 704180@bugs.debian.org

Subject: Re: Follow-up on Outstanding Invoice

Date: Wed, 04 Dec 2024 10:31:45 +0100

For your attention

I hope this message finds you well. I am writing to remind you that we currently have an outstanding invoice that still needs to be settled for our client. Its currently overdue for more 120 days.

We kindly request your cooperation to ensure this matter is resolved promptly. If there are any issues or further information needed to expedite the process, please do not hesitate to reach out.

Thank you for your attention to this matter.

Best regards,

Carol Klass  
Heads of Accounts  
Arnold & Portter
Email: accounts@anorldpotter.com

Message #167 received at 704180@bugs.debian.org (full text, mbox, reply):

From: Gerhard Mirco <gerhard.mirco50@gmail.com>

To: undisclosed-recipients:;

Subject: Hi, Finally approved and set for release to you

Date: Thu, 15 May 2025 22:54:29 -0500

[Message part 1 (text/plain, inline)]

Good morning,

Approved and ready for remittance to you. Kindly acknowledge this email and
have your compensation released to you

Warm regards,
*Gerhard Mirco*

[Message part 2 (text/html, inline)]

Message #172 received at 704180@bugs.debian.org (full text, mbox, reply):

From: Robert Turcinov <rturcinov@dhz.hr>

Subject: Re: GOOD NEWS

Date: Mon, 30 Jun 2025 05:16:56 +0200 (CEST)

[Message part 1 (text/plain, inline)]

 

 



-----Original Message-----

From: Robert <rturcinov@dhz.hr>
Date: Monday, 30 June 2025 10:34 AM CST
Subject: GOOD NEWS

 
Grant of 2M for you, contact ( donation.project00112@hotmail.com ) for quick claims. 
  

[Message part 2 (text/html, inline)]

Message #177 received at 704180@bugs.debian.org (full text, mbox, reply):

From: Marija Deželjin <Marija.Dezeljin@mmpi.hr>

Subject: GOOD NEWS!!

Date: Wed, 2 Jul 2025 03:22:51 +0000

[Message part 1 (text/plain, inline)]

Donation to you. Reply ASAP

[Message part 2 (text/html, inline)]

Send a report that this bug log contains spam.