libnss consolidation (was: Re: X.509 and CA certificates for other purposes (i.e. the IGTF))

To: debian developers <debian-devel@lists.debian.org>
Subject: libnss consolidation (was: Re: X.509 and CA certificates for other purposes (i.e. the IGTF))
From: Florian Weimer <fw@deneb.enyo.de>
Date: Mon, 10 Jun 2013 07:06:32 +0200
Message-id: <[🔎] 87vc5mtuzr.fsf_-_@mid.deneb.enyo.de>
In-reply-to: <CAE2SPAZaV0px6cSDYP1CZxHEs0qJZBm+mEBGztaFH6+Vc9bCuA@mail.gmail.com> (Bastien ROUCARIES's message of "Sun, 26 May 2013 20:02:44 +0200")
References: <519F41BD.10108@nikhef.nl> <20130525122708.GA29404@falafel.plessy.net> <CAE2SPAZaV0px6cSDYP1CZxHEs0qJZBm+mEBGztaFH6+Vc9bCuA@mail.gmail.com>

* Bastien ROUCARIES:

> Maybe crypto consolidation arround libnss will greatly help here.
> jessie release goal ?

NSS has lots of global state, and its proper initialization from
another library is difficult.  Switching over to it is probably
doable, but it's not really straightforward.  On the other hand, the
TLS implementation in NSS has been doing host name validation for a
long time, which is still problematic with some of the other
implementations.

NSS has its own problems with SUID/SGID binaries, but these could be
addressed by switching PR_GetEnv to secure_getenv.

Reply to:

Follow-Ups:
- Re: libnss consolidation (was: Re: X.509 and CA certificates for other purposes (i.e. the IGTF))
  - From: Bastien ROUCARIES <roucaries.bastien@gmail.com>

Prev by Date: Re: Survey answers part 1: systemd has too many dependencies, …
Next by Date: Re: security policy / root passwords
Previous by thread: Re: Bug#711811: ITP: foreman -- manage Procfile-based applications
Next by thread: Re: libnss consolidation (was: Re: X.509 and CA certificates for other purposes (i.e. the IGTF))
Index(es):
- Date
- Thread