Bug 1174191

Summary: On 64-bit RHEL 7.0/7.1, shared-system-certs is never active for 32-bit multiarch
Product: Red Hat Enterprise Linux 7 Reporter: Kai Engert (:kaie) (inactive account) <kengert>
Component: relengAssignee: Lubos Kocman <lkocman>
Status: CLOSED ERRATA QA Contact: Release Test Team <release-test-team-automation>
Severity: unspecified Docs Contact:
Priority: high    
Version: 7.1CC: dgilmore, dtodorov, dueno, jrieden, jstodola, jvavra, lkocman, mthacker, nmavrogi, salmy, stefw
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 07:21:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1110750, 1295396    

Description Kai Engert (:kaie) (inactive account) 2014-12-15 10:43:01 UTC 
On 64-bit systems, the shared-system-certs feature, which is implemented by the p11-kit-trust.so module, is never active for 32-bit applications,
because the p11-kit-trust package is available only as a 64-bit package.

For example, on x86_64, the p11-kit-trust.x86_64.rpm package is available,
but the p11-kit-trust.i686.rpm package isn't.

As a result, 32-bit applications using NSS will always use the statically built NSS version of the root CA list.

Expected: 32-bit applications using NSS on a 64-bit system should use the dynamically provided CA list.

In order to fix this bug, the p11-kit-trust package must be made available as a 32-bit version on multiarch systems
Comment 5 Lubos Kocman 2017-03-14 09:43:40 UTC 
I'm adding devel ack, since seems that there is a scenario which is currently blocked. Rel-eng needs to add a multilib whitelist for this specific package + remaining p11-kit-trust.

Is PM okay witch such change (it will result into shipping i686 rpms, which we haven't previously shipped).

Also closing https://projects.engineering.redhat.com/browse/RCM-13414 in favour of this bug.

Lubos
Comment 9 Lubos Kocman 2018-06-22 13:11:26 UTC 
Right thing would be to deliver this update via advisory. Do we have any update, or will we re-push last advisory for p11-kit-trust?

Fixed in https://code.engineering.redhat.com/gerrit/142223
Comment 13 errata-xmlrpc 2018-10-30 07:21:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3014