p11-kit trust module on Debian and OpenSUSE

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Jul 26 18:02:27 UTC 2017

Hi David--

On Wed 2017-07-26 16:29:18 +0100, David Woodhouse wrote:
> On Fri, 2013-06-07 at 12:17 -0400, Daniel Kahn Gillmor wrote:
>> On 06/07/2013 11:31 AM, Stef Walter wrote:
>> > 
>> > I've been working to make p11-kit work with the update-ca-certificates
>> > script on OpenSUSE and Debian. I think they're pretty much the same, so
>> > I hope referring to them together is okay.
>> I've just forwarded this to the
>> <pkg-auth-maintainers at lists.alioth.debian.org> mailing list, which is
>> another place where discussion around PKI in Debian is taking place.
>> I apologize for not having the time to review the specifics right now,
>> but i definitely support the general direction this proposal is taking.
> Where are we with this? Four years on, Debian/Ubuntu still doesn't seem
> to have managed to ship p11-kit-trust.so as an "alternative" for
> libnssckbi.so (and in fact seem to have regressed to having *multiple*
> copies of libnssckbi.so with multiple incompatible versions of NSS, and
> doesn't even support the NSS "Shared System Database").
> We end up with people having to jump through lots of nasty hoops just
> to install their own CA and have it actually work system-wide, which
> really ought to Just Work out of the box...
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741005
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704180
> https://bugs.launchpad.net/ubuntu/+source/p11-kit/+bug/1647285
> https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1648616
> Is there any prospect of getting it fixed any time soon?

I'd still like to see this happen, but i'm not sure what the right steps
are here.  I've added pkg-mozilla-maintainers at lists.alioth.debian.org to
the Cc list since that's the maintainer of record for NSS, and they
might want to weigh in on how they think it'd be most sensibly handled.


More information about the p11-glue mailing list