On Fri, 2016-05-20 at 11:48 +0200, Jan Kurik wrote: > = Proposed Self Contained Change: NSS enforces the system-wide crypto > policy = > https://fedoraproject.org/wiki/Changes/NSSCryptoPolicies
IYTM "enforces *some* of the system-wide crypto policy". We also have a policy (in p11-kit config) for which PKCS#11 tokens should be loaded into which applications. I suppose you could play semantic games and say that's not really part of the "system-wide crypto policy" you were talking about. But please don't :) As things stand, NSS is a holdout in that respect too. If we were to rebuilt curl against GnuTLS¹, the right tokens would automatically be available. As it's currently built against NSS, they aren't. This is https://bugzilla.redhat.com/show_bug.cgi?id=1173577 — and it might even be relatively easily solved just by loading p11-kit-proxy.so by default whenever the NSS database is initialised (without the NoDB flag). Please could we make an effort to get that fixed at the same time? The patches you have as part of this Change are touching the *same* code in nss_InitModules() which needs to be fixed up for loading the right modules, too. -- dwmw2 ¹ Can we, please?
smime.p7s
Description: S/MIME cryptographic signature
-- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
