Bug 508480 - Split off softoken from NSS as a subpackage or package
Split off softoken from NSS as a subpackage or package
Status: CLOSED NEXTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: nss (Show other bugs)
5.5
All Linux
medium Severity medium
: rc
: 5.5
Assigned To: Elio Maldonado Batiz
BaseOS QE
:
Depends On: 508479 551784 575002
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-27 14:09 EDT by Elio Maldonado Batiz
Modified: 2010-09-28 10:52 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 508479
Environment:
Last Closed: 2010-09-28 10:48:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Makes softokn and util subpackages of nss (9.03 KB, patch)
2009-07-21 14:40 EDT, Elio Maldonado Batiz
no flags Details | Diff

  None (edit)
Description Elio Maldonado Batiz 2009-06-27 14:09:08 EDT
+++ This bug was initially created as a clone of Bug #508479 +++

It is extremely difficult to upgrade NSS while at the same time keeping the FIPS validated cryptographic module.

NSS is FIPS 140-2 validated but it is actually the nss softoken pkcs #11 module that is granted the FIPS 140 validation as a cryptographic module. Only the softoken and frebl libraries are inside the "cryptographic boundary" and get validated, the rest of NSS lies outside the boundary. 

The current monolithic packaging of NSS  makes it extremely hard to support users who rely on the FIPS validation so they can upgrade NSS and take advantage of crucial fixes while at the same time continuing to use the current FIPS validated cryptographic module. RHEL needs to keep updating NSS while at the same time ship NSS with the last validated softoken.

Packaging softoken separately from the rest of nss will solve these problems. The nss utils library is a set of non-cryptographic utilities that softoken and the rest of nss depend on should also be packaged separately. In the upcoming NSS 3.12.4 from upstream, some re-factoring of code and include files has been done to enable such re-packaging possible for us downstream in Fedora and RHEL.


Version-Release number of selected component (if applicable):

How reproducible: N/A

Steps to Reproduce: N/A
  
Actual results:

Expected results: 


Additional info:
Comment 7 Elio Maldonado Batiz 2009-07-21 10:48:59 EDT
Created attachment 354493 [details]
Changes to make softokn and utils subpackages

This is a first cut at splitting off softkn and util by making them subpackages of nss. The handling of separate version and release numbers for the subpackages, of Requires, Conflicts (and possibly Obsoletes) stanzas needs careful review and testing.
Comment 8 Elio Maldonado Batiz 2009-07-21 10:52:28 EDT
An early stab at splitting off softkn and util as packages on teheir own, separte yet related, can be obtain examined via
git clone git://fedorapeople.org/~emaldonado/splitnss.git
Comment 15 Elio Maldonado Batiz 2010-09-28 10:48:40 EDT
The split was preformed on Fedora 12 and RHEL 6.
Comment 16 Elio Maldonado Batiz 2010-09-28 10:52:42 EDT
Also the split is done on RHEL 6 but not on RHEL 5 as it is a major repackaging that introduces new rpms and threfore not appropriate for the RHEL 5 series of upgrades.

Note You need to log in before you can comment on or make changes to this bug.