On 2010/06/13 01:33 PDT, Robin H. Johnson wrote: > LOOK at the links I provided, there are ZERO changes to the actual > source code.
Robin, The point is that the upstream NSS team simply doesn't have time or resources to look at every downstream distribution. There's no point in asking us to do so. We just cannot. But in this case, there was not need for us to do so,, thankfully. My email message attempted to cover a wide variety of possibilities without getting into any specifics of any distribution. It is quite common for distros to omit the .chk files altogether, or fail to update them when the NSS shared libs are updated or modified in any way. So I mentioned it as a general case, and you benefited. > The root of the problem is that the shared libraries can change > POST-install, as needed for ELF signing, split-debug and prelinking. The > ELF signing is a catch-22. Either I have to run shlibsign afterwards, or > I have to not sign those files, and leave them open to potential > compromise. Rerun shlibsign. It's fast and easy. > Running shlibsign does remedy the problem. > > However, this entire matter could be remedied if some more useful error > had been returned instead of 'Invalid Arguments'. Something to indicate > that the library checksums no longer matched. It's open source. Patches are invited. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto