Bug 508479 - Split off softoken from NSS as its own package
Split off softoken from NSS as its own package
Product: Fedora
Classification: Fedora
Component: nss (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Elio Maldonado Batiz
Fedora Extras Quality Assurance
Depends On: 515032 515034 575001
Blocks: 508480
  Show dependency treegraph
Reported: 2009-06-27 13:58 EDT by Elio Maldonado Batiz
Modified: 2010-09-24 20:36 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 508480 (view as bug list)
Last Closed: 2010-09-24 20:36:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
nss.spec file without nss-softokn and nss-utils (12.44 KB, patch)
2009-08-03 11:45 EDT, Elio Maldonado Batiz
no flags Details | Diff
this patch addresses review comments (8.14 KB, patch)
2009-08-05 11:04 EDT, Elio Maldonado Batiz
no flags Details | Diff
the full nss.spec file after the patch is applied (21.83 KB, text/plain)
2009-08-05 11:08 EDT, Elio Maldonado Batiz
no flags Details
Changes to spec file required by split of softokn and util (12.39 KB, patch)
2009-08-11 17:00 EDT, Elio Maldonado Batiz
no flags Details | Diff
The spec file after 357081 is applied (23.19 KB, text/plain)
2009-08-11 17:02 EDT, Elio Maldonado Batiz
no flags Details
Changes to spec file required by split of softokn and util (15.33 KB, patch)
2009-08-18 14:22 EDT, Elio Maldonado Batiz
no flags Details | Diff
spec with the changes applied (22.91 KB, text/plain)
2009-08-18 14:23 EDT, Elio Maldonado Batiz
no flags Details
changes to nss.spec and nss.pc.in required by the patch (15.91 KB, patch)
2009-08-18 16:38 EDT, Elio Maldonado Batiz
no flags Details | Diff

  None (edit)
Description Elio Maldonado Batiz 2009-06-27 13:58:28 EDT
It is extremely difficult to upgrade NSS while at the same time keeping the FIPS validated cryptographic module.

NSS is FIPS 140-2 validated but it is actually the nss softoken pkcs #11 module that is granted the FIPS 140 validation as a cryptographic module. Only the softoken and frebl libraries are inside the "cryptographic boundary" and get validated, the rest of NSS lies outside the boundary. 

The current monolithic packaging of NSS  makes it extremely hard to support users who rely on the FIPS validation so they can upgrade NSS and take advantage of crucial fixes while at the same time continuing to use the current FIPS validated cryptographic module. RHEL needs to keep updating NSS while at the same time ship NSS with the last validated softoken.

Packaging softoken separately from the rest of nss will solve these problems. The nss utils library is a set of non-cryptographic utilities that softoken and the rest of nss depend on should also be packaged separately. In the upcoming NSS 3.12.4 from upstream, some re-factoring of code and include files has been done to enable such re-packaging possible for us downstream in Fedora and RHEL.

Version-Release number of selected component (if applicable):

How reproducible: N/A

Steps to Reproduce: N/A
Actual results:

Expected results: 

Additional info:
Comment 1 Elio Maldonado Batiz 2009-07-22 19:07:47 EDT
In a recent conversation with some folks it was brought up that the split of softokn and util could be accomplished in two ways:  

1: Split off nss-softkn and nss-utils their own packages.
Pros: gives us the ability to ship nss-softokn (and nss-utils) independently of the rest of nss with their very own versions. RHEL would greatly benefit in being able to follow the Fedora spec files rather closely.
Cons: Introducing two new packages does require more review to get it in F-12 and may require more testing.

2: Make nss-softkn and nss-utils subpackages if nss in the nss.spec file similarly to what was done for nss-softkn-freebl.
Pros: Requires less review, may be simpler to implement, may require less testing thus more likely to have it done on time for F-12.  
Cons: Keeping separate versions of subpackages is a bit trickier and may not simplify maintenance in RHEL as much as we wish for.

For the Fedora 12 Feature Page please see

An early proof-of-concept implementation can be obtained via
git clone git://fedorapeople.org/~emaldonado/splitnss.git
Comment 2 Elio Maldonado Batiz 2009-08-01 15:35:08 EDT
FESCo sayd: "This was declined as a feature, due to the fact it seems to be mostly package reorganization, with no visible changes." To this end I have created Bug 515032 and Bug 515034 to introduce nss-util and nss-softokn as packages.
Comment 3 Elio Maldonado Batiz 2009-08-03 11:45:59 EDT
Created attachment 356056 [details]
nss.spec file without nss-softokn and nss-utils

This is not for a formal review as it requires the split of nss-softkn and nss-util into their own packages which is pending review. I just want to show some progress and elicit comments and questions.
Comment 4 Elio Maldonado Batiz 2009-08-03 12:48:58 EDT
(In reply to comment #3) My own comments:
1. Remove the %files softokn-freebl line  the next two since it softokn-freebl is now a subpackge of nss-softokn.
2. nss-nolocalsql.patch patches files inside softokn so it should be moved to nss-softokn.spec and applied fron nss-softokn.spec.  Luckily this patch is limited to softokn files plus one Makefile above it which is included when we create the softokn tar out of the big one. 

This brings up a previously unanticipated problem. There may be patches that include files across softkn, util, and the rest of nss. It looks like we would have to split them up into multiple patches ourselves or maybe ask the originator to do so.
Comment 5 Elio Maldonado Batiz 2009-08-05 11:04:36 EDT
Created attachment 356324 [details]
this patch addresses review comments

nss-softokn-freebl and two softokn-only patches moved out to the nss-softokn.spec.
Comment 6 Elio Maldonado Batiz 2009-08-05 11:08:08 EDT
Created attachment 356325 [details]
the full nss.spec file after the patch is applied
Comment 7 Bob Relyea 2009-08-05 14:18:46 EDT
re comment #4.

unlikely that we could have any more combined patches. NSS upstream will have a pretty strong 'lock' on softoken, so any patches would already have to be split in the upstream version (with the softoken parts checked into a softoken branch).

Comment 8 Elio Maldonado Batiz 2009-08-11 17:00:46 EDT
Created attachment 357081 [details]
Changes to spec file required by split of softokn and util

nss, nss-softokn, and ns-util "share" onwership of /usr/include/nss3, so to speak, instead of nss-util being the owner. I still run into install conflicts when installing or upgrading in a system with an older version of nss. Shared ownership among the three packages is a problem I haven't solved and need some advise on.
Comment 9 Elio Maldonado Batiz 2009-08-11 17:02:07 EDT
Created attachment 357082 [details]
The spec file after 357081 is applied
Comment 10 Elio Maldonado Batiz 2009-08-11 17:08:22 EDT
Copies of all three .spec files (nss, nss-softkn and nss-util) can be found at http://fedorapeople.org/~emaldonado/specfiles/
Comment 11 Elio Maldonado Batiz 2009-08-18 14:22:11 EDT
Created attachment 357838 [details]
Changes to spec file required by split of softokn and util
Comment 12 Elio Maldonado Batiz 2009-08-18 14:23:34 EDT
Created attachment 357839 [details]
spec with the changes applied
Comment 13 Elio Maldonado Batiz 2009-08-18 16:38:47 EDT
Created attachment 357847 [details]
changes to nss.spec and nss.pc.in required by the patch
Comment 14 Elio Maldonado Batiz 2009-08-18 17:40:53 EDT
Now that I got r+'s on the other two bugs one next logical step would be to review the attachments for this one. Bob, could you review this one as well?
Comment 15 Elio Maldonado Batiz 2009-08-31 16:59:42 EDT
Requesting Bob Relyea's review of nss.spec, nss.pc.in and nss-conf for Rawhide.
Comment 16 Bob Relyea 2009-08-31 17:19:25 EDT
Reviewing what is on top of the tree

Delete the following Requires:

nss-util (optionally)

delete the following BuildRequires:
sqlite-devel (should be pulled in by nss-softokn if necessary)

># we must compile with the entire source tree because nss needs                  
># private exports from util. The install section will ensure not
># to override nss-util and nss-softoken headers already installed.

this needs to be fixed... we should use the real headers and fixe the private exports issues.

> #remove the nss-util-devel headers

This should be necessary once the above is fixed.
Comment 17 Wan-Teh Chang 2009-09-01 10:12:43 EDT
We chose the "softokn" name, without the "e", to make
the Windows DLL name "softokn3.dll" fit the DOS 8.3
naming constraint.  For the Linux package name, we
should not omit the "e".  Is it too late to rename
this package nss-softoken?
Comment 18 Elio Maldonado Batiz 2009-09-01 11:21:52 EDT
(In reply to comment #17) This package was named nss-softokn for consistency with the previously released nss-softokn-freebl which now becomes a sub-package of this one. I wish we had placed the "e" then. I'm afraid it is too late to change the names.
Comment 19 Wan-Teh Chang 2009-09-03 13:56:57 EDT
I guess libfreebl3.so has to be its own package because the nss-softokn
package would pull in the nspr and nss-util packages?

Can we shorten the nss-softokn-freebl package name?  The package
name doesn't need to mention the softoken.  I think nss-hash, nss-lowhash,
nss-low, or nss-freebl would all be a good name.  I hope we can fix these
package names before they are locked into a RHEL release.
Comment 20 Bob Relyea 2009-09-03 17:27:54 EDT
Freebl has it's own package because it needs to be installed 'solo' for glibcrypt which uses it.

Freebl itself is part of the softoken package (that is the source code updates are softoken/freebl combined). It's a subpackage of nss-softokn (not nss).

The name was chosen several months ago when we put the code in for glibcrypt. At the time it was part of the nss package, but we knew it was going to be part of the nss-softokn package, so we named it the softokn-freebl package of nss. This allowed us to smoothly handle the transition to multi-nss.

This is why the name of the nss-softokn package was fixed.

To summarize:
1) nss-softokn-freebl must have a name with nss-softokn at the front no matter what.
2) The full name had been locked in several months ago (Fedora 8 or 9) and we are unlikely to change unless there is something really wrong with the name.

RE: softokn verses softoken. Since the name of the base library is softokn, it makes sense that the package name is softokn as well. Having 2 names could be confusing.
Comment 21 Kai Engert (:kaie) 2009-09-04 10:16:58 EDT
> RE: softokn verses softoken. Since the name of the base library is softokn, it
> makes sense that the package name is softokn as well. Having 2 names could be
> confusing.  

I concur, consistency is important.
Comment 22 Bug Zapper 2009-11-16 05:30:06 EST
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
Comment 23 Fedora Admin XMLRPC Client 2010-09-07 16:55:05 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Note You need to log in before you can comment on or make changes to this bug.