On Wed, 2019-01-09 at 14:04 -0500, Daniel Kahn Gillmor wrote: > On Wed 2019-01-09 16:39:36 +0100, Laurent Bigonville wrote: > > So what is the status of this? > > > > In RHEL 7 they made the switch to p11-kit and libnssckbi.so is an > > alternative between the file shipped by nss and p11-kit-trust.so shipped > > by p11-kit (with p11-kit version being the default). > > > > Should we switch debian by default to p11-kit as well? > > seems like the maintainers of p11-kit could unilaterally decide to > implement the diversion approach mentioned in > https://bugs.debian.org/704180 with a new binary package, if the nss > folks are reluctant to do it. > > I'm cc'ing Andreas here to try to get some feedback -- is this something > that there's interest in for the p11-kit maintainers?
That would seem like an excellent way to do it. However, am I right in thinking that we have multiple packages all shipping their *own* special version of the NSS libraries, instead of using the system one? Each instance of libnssckbi.so (in firefox, thunderbird, etc.) would need to be replaced, wouldn't it?
smime.p7s
Description: S/MIME cryptographic signature
