Rebuild NSS with support for system-wide config file
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nss (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
NSS should be rebuilt with this patch:
diff --git a/debian/
new file mode 100644
index 00000000..0f796964
--- /dev/null
+++ b/debian/
@@ -0,0 +1 @@
+etc/nss
diff --git a/debian/rules b/debian/rules
index 5ab1ced0..51bee160 100755
--- a/debian/rules
+++ b/debian/rules
@@ -128,6 +128,8 @@ override_
+ POLICY_
+ POLICY_
override_
The directory could be another one, of course. This will allow us to create a system-wide /etc/nss/pkcs11.txt file which could load the NSS policy module.
The upstream documentation is quite poor and outdated, unfortunately:
https:/
https:/
The current source code is the best documentation, and has a ton of tests that show how to use the policy module:
- allow/disallow options: https:/
- versions and key sizes: https:/
- other qualifiers for algorithms (which types of signatures): https:/
- tons of policy tests: https:/
Here is a sample /etc/nss/pkcs11.txt which enables the policy module with certain values:
library=
name=Policy
NSS=flags=
config=
The same config snippet can of course be used in ~/.pki/
- firefox: ~/snap/
- thunderbid: ~/.thunderbird/
- chrome and system-provided libnss3: ~/.pki/
Note thunderbird ships its own libnss3 (zomg), and would not be affected by this build change (unless it's done in the thunderbird source package too).
description: | updated |