On Sun, 2015-05-10 at 12:11 -0700, Ryan Sleevi wrote: > On Sat, May 9, 2015 3:30 pm, David Woodhouse wrote: > > > No, you should be able to do it w/o patching NSS. > > > > OK... how? > > > > If the Shared System Database wasn't such an utter failure, not even > > being used by Firefox itself, then just installing it there would have > > been a nice idea. But *nothing* used the Shared System Database, and > > there isn't even a coherent documented way for NSS users to discover > > whether they should use it or not. If calling NSS_Initialize() with a > > NULL configdir worked and did the right thing (sql:/etc/pki/nssdb where > > it's setup, or sql:$HOME/.pki/nssdb otherwise), that would be nice... > > but it doesn't. > > This is demonstrably not true, such in the case of Chrome.
Which part are you talking about? That NSS_Initialize() with a NULL configdir can quietly Do The Right Thing? If that now works, it's changed since I last looked. Or that Chrome can use sql:/etc/pki/nssdb and libnsssysinit.so, and fall back to sql:$HOME/.pki/nssdb when libnsssysinit.so isn't set up? Again, that would be a change since I last looked at it. Or that there is coherent documentation? The best I've found is the page at https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX — but that starts by saying that applications should use NSS_InitReadWrite(“sql:/etc/pki/nssdb”) which AIUI is just broken on any system where /etc/pki/nssdb/pkcs11.txt doesn't cause libnsssysinit.so to get loaded. > Or did you mean Fedora's particular interpretation of how things should look? I'm not aware of any "Fedora-specific interpretation of how things should look". Can you elucidate? Fedora does have this odd script which turns libnsssysinit.so on and off in sql:/etc/pki/nssdb, for which I don't quite understand the motivation. But that just switches the system between two configurations that an application presumably has to be able to cope with anyway. > Just use the canonical way to configure NSS to look for tokens - in which > it also finds your meta-configuration token - namely sql:$HOME/.pki/nssdb That's not system-wide; it's per-user. And in practice, I think Chrome and Evolution are the only common apps that even use *that*. > And lean on the applications that don't respect NSS's configuration > semantics rather than trying to redefine NSS's configuration semantics. Like Firefox? Bugs have been filed there for years... -- dwmw2 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
