On Thu, 2019-01-10 at 19:14 +0100, Laurent Bigonville wrote: > > However, am I right in thinking that we have multiple packages all > > shipping their *own* special version of the NSS libraries, instead of > > using the system one? Each instance of libnssckbi.so (in firefox, > > thunderbird, etc.) would need to be replaced, wouldn't it? > > If I'm searching for a file called libnssckbi.so in the archive, the > only other occurrence is in package libapache2-mod-nss.
Looking back, I see this bug was opened with the comment "With the
recent switch of wheezy-security's iceweasel to using the
embedded copy of nss..."
That was 2014 though. Is it no longer the case?
FWIW my Ubuntu 18.04 box does have separate instances of libnssckbi.so
in /usr/lib/{thunderbird,firefox}/ (along with all the other NSS
libraries, I believe).
Perhaps the answer is that any separate instances of NSS should *not*
ship their own libnssckbi.so and should use the system one. The
interface there is entirely stable as it's PKCS#11, so there won't be
compatibility problems (else p11-kit-trust couldn't work either).
smime.p7s
Description: S/MIME cryptographic signature
