Debian Bug report logs - #741005
iceweasel: using p11-kit to replace nssckbi?

Reply or subscribe to this bug.

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: iceweasel: using p11-kit to replace nssckbi?

Date: Fri, 7 Mar 2014 10:55:42 +0100

Source: nss
Severity: wishlist
Version: 2:3.14.5-1
X-Debbugs-CC: p11-kit@packages.debian.org

Hi Mike, everyone,

With the recent switch of wheezy-security's iceweasel to using the
embedded copy of nss I was hit again by some local certificates being
missing. Sure enough, this is not a new issue and was expected.

However, I'm wondering about using p11-kit's -trust.so provider to
replace nssckbi, pretty much like described by #704180 but done
directly by nss. The aim being to finally centralise this in a way
that is, slightly, more flexible than it currently is.

Now, there are of course some downsides which include losing specific
usage and trust settings. I'm not too worried about usage settings as
much as I am for the trust bits. How could we distrust an intermediate
CA next time if we use p11-kit?

What is your opinion on all this? what other difference between the
two providers is there that I might be missing?

Thanks in advance.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Message #12 received at 741005@bugs.debian.org (full text, mbox, reply):

From: Laurent Bigonville <bigon@debian.org>

To: 741005@bugs.debian.org

Subject: Re: iceweasel: using p11-kit to replace nssckbi?

Date: Thu, 2 Mar 2017 17:16:54 +0100

On Fri, 7 Mar 2014 10:55:42 +0100 Raphael Geissert <geissert@debian.org> 
wrote:

> Hi Mike, everyone,
>
> With the recent switch of wheezy-security's iceweasel to using the
> embedded copy of nss I was hit again by some local certificates being
> missing. Sure enough, this is not a new issue and was expected.
>
> However, I'm wondering about using p11-kit's -trust.so provider to
> replace nssckbi, pretty much like described by #704180 but done
> directly by nss. The aim being to finally centralise this in a way
> that is, slightly, more flexible than it currently is.
>
> Now, there are of course some downsides which include losing specific
> usage and trust settings. I'm not too worried about usage settings as
> much as I am for the trust bits. How could we distrust an intermediate
> CA next time if we use p11-kit?
>
> What is your opinion on all this? what other difference between the
> two providers is there that I might be missing?
>
> Thanks in advance.
>
> Cheers,

FTR, is trying to do something similar and use p11-kit for everything:

https://fedoraproject.org/wiki/FedoraCryptoConsolidation
https://fedoraproject.org/wiki/Features/SharedSystemCertificates

Message #17 received at 741005@bugs.debian.org (full text, mbox, reply):

From: Laurent Bigonville <bigon@debian.org>

To: 741005@bugs.debian.org, 704180@bugs.debian.org

Subject: Use p11-kit to replace nssckbi

Date: Wed, 9 Jan 2019 16:39:36 +0100

Hello,

So what is the status of this?

In RHEL 7 they made the switch to p11-kit and libnssckbi.so is an 
alternative between the file shipped by nss and p11-kit-trust.so shipped 
by p11-kit (with p11-kit version being the default).

Should we switch debian by default to p11-kit as well?

Message #22 received at 741005@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Laurent Bigonville <bigon@debian.org>, 704180@bugs.debian.org, 741005@bugs.debian.org, Andreas Metzler <ametzler@debian.org>

Subject: Re: Bug#704180: Use p11-kit to replace nssckbi

Date: Wed, 09 Jan 2019 14:04:35 -0500

[Message part 1 (text/plain, inline)]

On Wed 2019-01-09 16:39:36 +0100, Laurent Bigonville wrote:
> So what is the status of this?
>
> In RHEL 7 they made the switch to p11-kit and libnssckbi.so is an 
> alternative between the file shipped by nss and p11-kit-trust.so shipped 
> by p11-kit (with p11-kit version being the default).
>
> Should we switch debian by default to p11-kit as well?

seems like the maintainers of p11-kit could unilaterally decide to
implement the diversion approach mentioned in
https://bugs.debian.org/704180 with a new binary package, if the nss
folks are reluctant to do it.

I'm cc'ing Andreas here to try to get some feedback -- is this something
that there's interest in for the p11-kit maintainers?

     --dkg

[signature.asc (application/pgp-signature, inline)]

Message #27 received at 741005@bugs.debian.org (full text, mbox, reply):

From: Laurent Bigonville <bigon@debian.org>

To: David Woodhouse <dwmw2@infradead.org>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 704180@bugs.debian.org, 741005@bugs.debian.org, Andreas Metzler <ametzler@debian.org>

Subject: Re: Bug#704180: Use p11-kit to replace nssckbi

Date: Thu, 10 Jan 2019 19:14:06 +0100

Le 10/01/19 à 19:03, David Woodhouse a écrit :
> On Wed, 2019-01-09 at 14:04 -0500, Daniel Kahn Gillmor wrote:
>> On Wed 2019-01-09 16:39:36 +0100, Laurent Bigonville wrote:
>>> So what is the status of this?
>>>
>>> In RHEL 7 they made the switch to p11-kit and libnssckbi.so is an
>>> alternative between the file shipped by nss and p11-kit-trust.so shipped
>>> by p11-kit (with p11-kit version being the default).
>>>
>>> Should we switch debian by default to p11-kit as well?
>> seems like the maintainers of p11-kit could unilaterally decide to
>> implement the diversion approach mentioned in
>> https://bugs.debian.org/704180 with a new binary package, if the nss
>> folks are reluctant to do it.
>>
>> I'm cc'ing Andreas here to try to get some feedback -- is this something
>> that there's interest in for the p11-kit maintainers?
> That would seem like an excellent way to do it.
>
> However, am I right in thinking that we have multiple packages all
> shipping their *own* special version of the NSS libraries, instead of
> using the system one? Each instance of libnssckbi.so (in firefox,
> thunderbird, etc.) would need to be replaced, wouldn't it?

If I'm searching for a file called libnssckbi.so in the archive, the 
only other occurrence is in package libapache2-mod-nss.

Shouldn't it be better to use an alternative so a local admin can switch 
back to the libnss3 version? When I discussed with Mike about bug 
#820437 he didn't looked opposed to use p11-kit, see 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820437#19

Message #32 received at 741005@bugs.debian.org (full text, mbox, reply):

From: David Woodhouse <dwmw2@infradead.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 704180@bugs.debian.org, Laurent Bigonville <bigon@debian.org>, 741005@bugs.debian.org, Andreas Metzler <ametzler@debian.org>

Subject: Re: Bug#704180: Use p11-kit to replace nssckbi

Date: Thu, 10 Jan 2019 18:03:35 +0000

[Message part 1 (text/plain, inline)]

On Wed, 2019-01-09 at 14:04 -0500, Daniel Kahn Gillmor wrote:
> On Wed 2019-01-09 16:39:36 +0100, Laurent Bigonville wrote:
> > So what is the status of this?
> > 
> > In RHEL 7 they made the switch to p11-kit and libnssckbi.so is an 
> > alternative between the file shipped by nss and p11-kit-trust.so shipped 
> > by p11-kit (with p11-kit version being the default).
> > 
> > Should we switch debian by default to p11-kit as well?
> 
> seems like the maintainers of p11-kit could unilaterally decide to
> implement the diversion approach mentioned in
> https://bugs.debian.org/704180 with a new binary package, if the nss
> folks are reluctant to do it.
> 
> I'm cc'ing Andreas here to try to get some feedback -- is this something
> that there's interest in for the p11-kit maintainers?

That would seem like an excellent way to do it.

However, am I right in thinking that we have multiple packages all
shipping their *own* special version of the NSS libraries, instead of
using the system one? Each instance of libnssckbi.so (in firefox,
thunderbird, etc.) would need to be replaced, wouldn't it?

[smime.p7s (application/x-pkcs7-signature, attachment)]

Message #37 received at 741005@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Laurent Bigonville <bigon@debian.org>, 704180@bugs.debian.org, David Woodhouse <dwmw2@infradead.org>, 704180@bugs.debian.org, 741005@bugs.debian.org, Andreas Metzler <ametzler@debian.org>

Subject: Re: Bug#704180: Use p11-kit to replace nssckbi

Date: Thu, 10 Jan 2019 15:53:41 -0500

On Thu 2019-01-10 19:14:06 +0100, Laurent Bigonville wrote:
> If I'm searching for a file called libnssckbi.so in the archive, the 
> only other occurrence is in package libapache2-mod-nss.

afaict, that's just a symlink:

   etc/apache2/nssdb/libnssckbi.so ->  /usr/lib/$ARCH_TRIPLET/nss/libnssckbi.so

so i don't think that matters for this discussion.

> Shouldn't it be better to use an alternative so a local admin can switch 
> back to the libnss3 version? When I discussed with Mike about bug 
> #820437 he didn't looked opposed to use p11-kit, see 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820437#19

We can use /etc/alternatives if folks want to, but i think a simple "if
this package is installed, that means the admin wants to use it" rule is
easier for people to understand, less fiddly, and clearer when
collecting things like bug report information.

what's the advantage of using alternatives instead of a package-specific
displacement?

        --dkg

Message #42 received at 741005@bugs.debian.org (full text, mbox, reply):

From: David Woodhouse <dwmw2@infradead.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 704180@bugs.debian.org, Laurent Bigonville <bigon@debian.org>, 741005@bugs.debian.org, Andreas Metzler <ametzler@debian.org>

Subject: Re: Bug#704180: Use p11-kit to replace nssckbi

Date: Thu, 10 Jan 2019 21:48:22 +0000

[Message part 1 (text/plain, inline)]

On Thu, 2019-01-10 at 15:53 -0500, Daniel Kahn Gillmor wrote:
> what's the advantage of using alternatives instead of a package-
> specific displacement?

None really, as long as you put it in a separate p11-kit-trust  package
as Fedora/RHEL do.

You don't want installation of the p11-kit package itself to trigger
the replacement, necessarily. Lots of other things use p11-kit.

[smime.p7s (application/x-pkcs7-signature, attachment)]

Message #47 received at 741005@bugs.debian.org (full text, mbox, reply):

From: David Woodhouse <dwmw2@infradead.org>

To: Laurent Bigonville <bigon@debian.org>, 704180@bugs.debian.org, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 741005@bugs.debian.org, Andreas Metzler <ametzler@debian.org>

Subject: Re: Bug#704180: Use p11-kit to replace nssckbi

Date: Fri, 11 Jan 2019 08:09:02 +0000

[Message part 1 (text/plain, inline)]

On Thu, 2019-01-10 at 19:14 +0100, Laurent Bigonville wrote:
> > However, am I right in thinking that we have multiple packages all
> > shipping their *own* special version of the NSS libraries, instead of
> > using the system one? Each instance of libnssckbi.so (in firefox,
> > thunderbird, etc.) would need to be replaced, wouldn't it?
> 
> If I'm searching for a file called libnssckbi.so in the archive, the 
> only other occurrence is in package libapache2-mod-nss.

Looking back, I see this bug was opened with the comment "With the
recent switch of wheezy-security's iceweasel to using the
embedded copy of nss..."

That was 2014 though. Is it no longer the case?

FWIW my Ubuntu 18.04 box does have separate instances of libnssckbi.so
in /usr/lib/{thunderbird,firefox}/ (along with all the other NSS
libraries, I believe).

Perhaps the answer is that any separate instances of NSS should *not*
ship their own libnssckbi.so and should use the system one. The
interface there is entirely stable as it's PKCS#11, so there won't be
compatibility problems (else p11-kit-trust couldn't work either).

[smime.p7s (application/x-pkcs7-signature, attachment)]

Message #52 received at 741005@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: David Woodhouse <dwmw2@infradead.org>, Laurent Bigonville <bigon@debian.org>, 704180@bugs.debian.org, 741005@bugs.debian.org, Andreas Metzler <ametzler@debian.org>

Subject: Re: Bug#704180: Use p11-kit to replace nssckbi

Date: Fri, 11 Jan 2019 11:21:49 -0500

[Message part 1 (text/plain, inline)]

On Fri 2019-01-11 08:09:02 +0000, David Woodhouse wrote:
> Looking back, I see this bug was opened with the comment "With the
> recent switch of wheezy-security's iceweasel to using the
> embedded copy of nss..."
>
> That was 2014 though. Is it no longer the case?

i can confirm that it is no longer the case. I've got firefox and
thunderbird on a debian buster/side system and they do not ship
libnssckbi.so -- they appear to rely on the one in the libnss3 package.

> FWIW my Ubuntu 18.04 box does have separate instances of libnssckbi.so
> in /usr/lib/{thunderbird,firefox}/ (along with all the other NSS
> libraries, I believe).

that's interesting; i've got firefox (64.0-1) and firefox-esr
(60.4.0esr-1) and thunderbird (1:60.3.1-1) installed and this is dpkg's
full scan of the system for libnssckbi.so:

0 dkg@alice:~$ dpkg -S libnssckbi.so
libnss3:amd64: /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
0 dkg@alice:~$ 

> Perhaps the answer is that any separate instances of NSS should *not*
> ship their own libnssckbi.so and should use the system one. The
> interface there is entirely stable as it's PKCS#11, so there won't be
> compatibility problems (else p11-kit-trust couldn't work either).

sounds like a bug report to ubuntu is in order.

       --dkg

[signature.asc (application/pgp-signature, inline)]

Message #57 received at 741005@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: David Woodhouse <dwmw2@infradead.org>, 704180@bugs.debian.org, Laurent Bigonville <bigon@debian.org>, 741005@bugs.debian.org, Andreas Metzler <ametzler@debian.org>

Subject: Re: Bug#704180: Use p11-kit to replace nssckbi

Date: Fri, 11 Jan 2019 11:17:32 -0500

On Thu 2019-01-10 21:48:22 +0000, David Woodhouse wrote:
> On Thu, 2019-01-10 at 15:53 -0500, Daniel Kahn Gillmor wrote:
>> what's the advantage of using alternatives instead of a package-
>> specific displacement?
>
> None really, as long as you put it in a separate p11-kit-trust  package
> as Fedora/RHEL do.
>
> You don't want installation of the p11-kit package itself to trigger
> the replacement, necessarily. Lots of other things use p11-kit.

yes, agreed, it would be a separate and distinct binary package, not
p11-kit on its own.

        --dkg

Message #62 received at 741005@bugs.debian.org (full text, mbox, reply):

From: Laurent Bigonville <bigon@debian.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, David Woodhouse <dwmw2@infradead.org>, 704180@bugs.debian.org, 741005@bugs.debian.org, Andreas Metzler <ametzler@debian.org>

Subject: Re: Bug#704180: Use p11-kit to replace nssckbi

Date: Fri, 11 Jan 2019 18:17:26 +0100

Le 11/01/19 à 17:17, Daniel Kahn Gillmor a écrit :
> On Thu 2019-01-10 21:48:22 +0000, David Woodhouse wrote:
>> On Thu, 2019-01-10 at 15:53 -0500, Daniel Kahn Gillmor wrote:
>>> what's the advantage of using alternatives instead of a package-
>>> specific displacement?
>> None really, as long as you put it in a separate p11-kit-trust  package
>> as Fedora/RHEL do.
>>
>> You don't want installation of the p11-kit package itself to trigger
>> the replacement, necessarily. Lots of other things use p11-kit.
> yes, agreed, it would be a separate and distinct binary package, not
> p11-kit on its own.
The problem is what/who will decide if this package is installed? If 
that package is being pulled by on other package for some reason, that 
means that the local administrator will not be able to revert the 
decision of the package maintainer who has added this dependency

Message #67 received at 741005@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Laurent Bigonville <bigon@debian.org>, David Woodhouse <dwmw2@infradead.org>, 704180@bugs.debian.org, 741005@bugs.debian.org, Andreas Metzler <ametzler@debian.org>

Subject: Re: Bug#704180: Use p11-kit to replace nssckbi

Date: Fri, 11 Jan 2019 12:28:52 -0500

On Fri 2019-01-11 18:17:26 +0100, Laurent Bigonville wrote:
> The problem is what/who will decide if this package is installed? If 
> that package is being pulled by on other package for some reason, that 
> means that the local administrator will not be able to revert the 
> decision of the package maintainer who has added this dependency

agreed, a runtime dependency on that for anything but a "preferred
system configuration"-style metapackage would be a bad thing.  but it'd
also be a very visible thing.

Hopefully if that happend, the affected user could report a bug on that
dependency, and in the meantime work around it with something like
equivs.

        --dkg

Message #72 received at 741005@bugs.debian.org (full text, mbox, reply):

From: Andreas Metzler <ametzler@bebt.de>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 704180@bugs.debian.org

Cc: David Woodhouse <dwmw2@infradead.org>, Laurent Bigonville <bigon@debian.org>, 741005@bugs.debian.org

Subject: Re: Bug#704180: Use p11-kit to replace nssckbi

Date: Sun, 13 Jan 2019 19:07:42 +0100

On 2019-01-11 Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
> On Thu 2019-01-10 21:48:22 +0000, David Woodhouse wrote:
>> On Thu, 2019-01-10 at 15:53 -0500, Daniel Kahn Gillmor wrote:
>>> what's the advantage of using alternatives instead of a package-
>>> specific displacement?

>> None really, as long as you put it in a separate p11-kit-trust package
>> as Fedora/RHEL do.

>> You don't want installation of the p11-kit package itself to trigger
>> the replacement, necessarily. Lots of other things use p11-kit.

> yes, agreed, it would be a separate and distinct binary package, not
> p11-kit on its own.

The coding would be straightforward afaict.

https://salsa.debian.org/gnutls-team/p11-kit/commits/tmp-704180-divertnss

I have not done any firefox testing apart from "it does not crash",
though. ;-)

cu Andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

Message #77 received at 741005@bugs.debian.org (full text, mbox, reply):

From: Laurent Bigonville <bigon@debian.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, David Woodhouse <dwmw2@infradead.org>, 704180@bugs.debian.org, 741005@bugs.debian.org, Andreas Metzler <ametzler@debian.org>

Subject: Re: Bug#704180: Use p11-kit to replace nssckbi

Date: Sun, 13 Jan 2019 20:40:08 +0100

Le 11/01/19 à 18:28, Daniel Kahn Gillmor a écrit :
> On Fri 2019-01-11 18:17:26 +0100, Laurent Bigonville wrote:
>> The problem is what/who will decide if this package is installed? If
>> that package is being pulled by on other package for some reason, that
>> means that the local administrator will not be able to revert the
>> decision of the package maintainer who has added this dependency
> agreed, a runtime dependency on that for anything but a "preferred
> system configuration"-style metapackage would be a bad thing.  but it'd
> also be a very visible thing.
>
> Hopefully if that happend, the affected user could report a bug on that
> dependency, and in the meantime work around it with something like
> equivs.

The problem is that if nothing is pulling the new package in the default 
installation, nobody will ever use it. And we will create a new 
difference between debian and the other distributions.

Message #82 received at 741005@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Andreas Metzler <ametzler@bebt.de>, 704180@bugs.debian.org

Cc: David Woodhouse <dwmw2@infradead.org>, Laurent Bigonville <bigon@debian.org>, 741005@bugs.debian.org

Subject: Re: Bug#704180: Use p11-kit to replace nssckbi

Date: Mon, 14 Jan 2019 10:33:11 -0500

On Sun 2019-01-13 19:07:42 +0100, Andreas Metzler wrote:
> The coding would be straightforward afaict.
>
> https://salsa.debian.org/gnutls-team/p11-kit/commits/tmp-704180-divertnss

I like the looks of this, though perhaps we want to name the new package
p11-kit-trust to be more in line with the name given by other distros.

> I have not done any firefox testing apart from "it does not crash",
> though. ;-)

I will try to build and test it soon -- it'd be good to write an
automated test suite too, though i'm not sure how to do that with
firefox.

        --dkg

Message #87 received at 741005@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Laurent Bigonville <bigon@debian.org>, David Woodhouse <dwmw2@infradead.org>, 704180@bugs.debian.org, 741005@bugs.debian.org, Andreas Metzler <ametzler@debian.org>

Subject: Re: Bug#704180: Use p11-kit to replace nssckbi

Date: Mon, 14 Jan 2019 10:30:53 -0500

On Sun 2019-01-13 20:40:08 +0100, Laurent Bigonville wrote:
> The problem is that if nothing is pulling the new package in the default 
> installation, nobody will ever use it.

hm, this is true, but it's also likely to be true for a non-default
debconf choice as well, right?  most people keep their debconf priority
at low, and i can't imagine that we'll add this as a high-priority
debconf question.

> And we will create a new difference between debian and the other
> distributions.

David Woodhouse suggests that Fedora ships this configuration choice as
a distinct package called p11-kit-trust -- so as long as we name the
package the same way, we're actually closing a gap between debian and
the other distros.

    --dkg

Message #92 received at 741005@bugs.debian.org (full text, mbox, reply):

From: David Woodhouse <dwmw2@infradead.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Andreas Metzler <ametzler@bebt.de>, 704180@bugs.debian.org

Cc: Laurent Bigonville <bigon@debian.org>, 741005@bugs.debian.org

Subject: Re: Bug#704180: Use p11-kit to replace nssckbi

Date: Mon, 14 Jan 2019 18:27:37 +0200

[Message part 1 (text/plain, inline)]

On Mon, 2019-01-14 at 10:33 -0500, Daniel Kahn Gillmor wrote:
> On Sun 2019-01-13 19:07:42 +0100, Andreas Metzler wrote:
> > The coding would be straightforward afaict.
> > 
> > https://salsa.debian.org/gnutls-team/p11-kit/commits/tmp-704180-divertnss
> 
> I like the looks of this, though perhaps we want to name the new package
> p11-kit-trust to be more in line with the name given by other distros.

In Fedora it's called p11-kit-trust and it's pulled in by default as a
dependency of various other packages including NSS and GnuTLS. In fact
I think GnuTLS is built to use it as its default trust store, so not
installing it isn't really a possibility. It also provides the standard
update-ca-certificates mechanism which manages the CAs used by OpenSSL.

They use alternatives so that if the user really wants to disable it
for NSS and use the standard libnssckbi.so for NSS, they can.

[smime.p7s (application/x-pkcs7-signature, attachment)]

Send a report that this bug log contains spam.