508480 – Split off softoken from NSS as a subpackage or package

Bug 508480 - Split off softoken from NSS as a subpackage or package

Summary: Split off softoken from NSS as a subpackage or package

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	nss
Sub Component:
Version:	5.5
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	5.5
Assignee:	Elio Maldonado Batiz
QA Contact:	BaseOS QE
Docs Contact:
URL:
Whiteboard:
Depends On:	508479 551784 575002
Blocks:
TreeView+	depends on / blocked

Reported:	2009-06-27 18:09 UTC by Elio Maldonado Batiz
Modified:	2010-09-28 14:52 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	508479
Environment:
Last Closed:	2010-09-28 14:48:40 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Makes softokn and util subpackages of nss (9.03 KB, patch) 2009-07-21 18:40 UTC, Elio Maldonado Batiz	no flags	Details \| Diff
View All

Description Elio Maldonado Batiz 2009-06-27 18:09:08 UTC

+++ This bug was initially created as a clone of Bug #508479 +++

It is extremely difficult to upgrade NSS while at the same time keeping the FIPS validated cryptographic module.

NSS is FIPS 140-2 validated but it is actually the nss softoken pkcs #11 module that is granted the FIPS 140 validation as a cryptographic module. Only the softoken and frebl libraries are inside the "cryptographic boundary" and get validated, the rest of NSS lies outside the boundary. 

The current monolithic packaging of NSS  makes it extremely hard to support users who rely on the FIPS validation so they can upgrade NSS and take advantage of crucial fixes while at the same time continuing to use the current FIPS validated cryptographic module. RHEL needs to keep updating NSS while at the same time ship NSS with the last validated softoken.

Packaging softoken separately from the rest of nss will solve these problems. The nss utils library is a set of non-cryptographic utilities that softoken and the rest of nss depend on should also be packaged separately. In the upcoming NSS 3.12.4 from upstream, some re-factoring of code and include files has been done to enable such re-packaging possible for us downstream in Fedora and RHEL.


Version-Release number of selected component (if applicable):

How reproducible: N/A

Steps to Reproduce: N/A
  
Actual results:

Expected results: 


Additional info:

Comment 7 Elio Maldonado Batiz 2009-07-21 14:48:59 UTC

Created attachment 354493 [details]
Changes to make softokn and utils subpackages

This is a first cut at splitting off softkn and util by making them subpackages of nss. The handling of separate version and release numbers for the subpackages, of Requires, Conflicts (and possibly Obsoletes) stanzas needs careful review and testing.

Comment 8 Elio Maldonado Batiz 2009-07-21 14:52:28 UTC

An early stab at splitting off softkn and util as packages on teheir own, separte yet related, can be obtain examined via
git clone git://fedorapeople.org/~emaldonado/splitnss.git

Comment 15 Elio Maldonado Batiz 2010-09-28 14:48:40 UTC

The split was preformed on Fedora 12 and RHEL 6.

Comment 16 Elio Maldonado Batiz 2010-09-28 14:52:42 UTC

Also the split is done on RHEL 6 but not on RHEL 5 as it is a major repackaging that introduces new rpms and threfore not appropriate for the RHEL 5 series of upgrades.

Note You need to log in before you can comment on or make changes to this bug.