Hide Forgot
glibc should be ported to use NSS library for cryptography. See the tracking bug for details and links on how it could be done.
triaged
It's in NSS 3.12.3. I don't know if that has been picked up by rawhide yet. I think only 3.12.3 Beta has been released, but the differences between beta and rtm should be pretty minor. I can have kai pull it in. bob
The latest snapshot is NSS 3.12.3 beta 4 which is from 6 weeks ago. There seem to be a couple of blocker bugs for the final release, still, so I'm going to build this beta into rawhide now.
I built it as https://koji.fedoraproject.org/koji/taskinfo?taskID=1268615 Looking at the resulting binary, here is what ldd tells me on libsoftokn and libfreebl: $ ldd libfreebl3.so libnssutil3.so => /lib/libnssutil3.so (0x0038c000) libnspr4.so => /lib/libnspr4.so (0x00512000) libpthread.so.0 => /lib/libpthread.so.0 (0x009e8000) libdl.so.2 => /lib/libdl.so.2 (0x0036d000) libc.so.6 => /lib/libc.so.6 (0x00110000) libplc4.so => /lib/libplc4.so (0x00284000) libplds4.so => /lib/libplds4.so (0x00289000) /lib/ld-linux.so.2 (0x00849000) $ ldd libsoftokn3.so libnssutil3.so => /lib/libnssutil3.so (0x00c11000) libsqlite3.so.0 => /usr/lib/libsqlite3.so.0 (0x00ea2000) libplc4.so => /lib/libplc4.so (0x00fbc000) libplds4.so => /lib/libplds4.so (0x00f2d000) libnspr4.so => /lib/libnspr4.so (0x0014c000) libpthread.so.0 => /lib/libpthread.so.0 (0x00ca1000) libdl.so.2 => /lib/libdl.so.2 (0x00186000) libc.so.6 => /lib/libc.so.6 (0x004fd000) /lib/ld-linux.so.2 (0x00849000) I'm surprised that I still see dependencies to the nspr libraries.
(In reply to comment #6) > I'm surprised that I still see dependencies to the nspr libraries. Indeed. The whole purpose of the exercise is it to get rid of that dependency. We are closing in fast on F11 (and therefore RHEL6). Bob, can you take a look?
I guess there are special build flags necessary to get the nspr-free nss. I'll test with FREEBL_NO_DEPEND=1
yes, that's the flag. bob
thanks. build should be done shortly: https://koji.fedoraproject.org/koji/buildinfo?buildID=96070
I verified that the code now in rawhide has no such static dependency. And it's easy enough to use, even for me. But there still is a runtime dependency on nspr4. Is this really necessary? What is it that's needed from that library? I definitely see it used.
Oh, and Kai: can you please move libfreebl3.{so,chk} into a separate RPM file (a sub-package)? This way glibc can depend only on that sub-package and not the whole of NSS.
Bob, Elio, do you agree to introduce a separate nss-freebl sub-package? It's simply enough to do, I already have a patch and I'm running a local build for testing.
Created attachment 337823 [details] Patch to introduce separate nss-freebl.rpm
I talked with Steve Grubb and he said the if NSS fails the crypt() call should fail. I've updated the patch and it is upstream now. The next rawhide build should have it. Jakub: configure rawhide with --enable-nss-crypt.
Talked to Bob and Elio, agreed to name the package nss-softokn-freebl, because at some point we might want to introduce a nss-softokn package... I decided to move only the .so file to that package (for now), not the .chk file, because the .chk file is a generated file and need the signing tool, which needs nspr etc... So for now, let's keep the .chk file in the main NSS package. I've started a build: https://koji.fedoraproject.org/koji/taskinfo?taskID=1274334
What the next step for this bug? I believe the NSS portion has been completed. As this bug is assigned to the glibc component, do you want to keep this bug open for other work, or should we close it?
(In reply to comment #18) > What the next step for this bug? > I believe the NSS portion has been completed. The glibc part is indeed done. But there is one more change to nss. The /etc/prelink.conf.d/nss-prelink.conf file should be in a separate rpm. Only people interested in certification should install it. For others prelinking should not be prevented. Too many programs are negatively impacted otherwise. How are the startup tests reacting to prelinking?
Could you please send me the output of $ egrep "libfreebl3|libsoftokn3" /var/log/prelink/prelink.log from an affected system? I'm curious how many packages it prevents from being prelinked. On my Fedora 10 system it only affects pk11install. I'm afraid you'll tell me that the new dependency from glibc to freebl changed that?
Ok, you're probably refering to bug 504949, which I hadn't seen until now.
I propose to close this bug and track the proposed change for prelinking in bug 504949.