Bug 2229934

Summary: Problem with requirement of `/usr/lib64/libnssckbi.so`
Product: [Fedora] Fedora Reporter: Jaroslav Mracek <jmracek>
Component: mod_nssAssignee: Rob Crittenden <rcritten>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 38CC: mharmsen, rcritten
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-09-25 20:00:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2180842    

Description Jaroslav Mracek 2023-08-08 08:56:43 UTC 
Package mod_nss requires: /usr/lib64/libnssckbi.so

Why this is a problem:
1. DNF5 stops to download filelists as a default therefore `mod_nss` will be not installable
2. It is against Fedora packaging guidelines to require files outside of `/etc`, `/usr/(s)bin`.


Possible solution:
1. use only file provides from  `/etc`, `/usr/(s)bin` (follow packaging guidelines please) or other provides from package providing required functionality
2. Request explicit provide of `/usr/lib64/libnssckbi.so` in package providers of the file like `Provides: /usr/lib64/libnssckbi.so`. This is a workaround that resolves the issue, but it is not according to the guidelines.

This issue will appear after DNF5 adoption, because DNF5 does not download filelists by default. The problem will not be in DNF5 because it is caused by not following packaging guidelines. DNF downloaded always filelists to prevent the issue. There are only few remaining packages that has the issue therefore it is time to improve an efficiency of Fedora distribution.

Reproducible: Always
Comment 1 Rob Crittenden 2023-08-14 20:13:46 UTC 
Specifically the guideline is documented at https://docs.fedoraproject.org/en-US/packaging-guidelines/#_file_and_directory_dependencies

We can change the Requires to p11-kit-trust which provides this library but the mechanism to load the library, which contains the root certs, will need to be revisited. If it is not present in the directory that contains the NSS database then the public roots are not available. This has been a problem over the years and has spawned a few bugs.