libnss consolidation (was: Re: X.509 and CA certificates for other purposes (i.e. the IGTF))
- To: debian developers <firstname.lastname@example.org>
- Subject: libnss consolidation (was: Re: X.509 and CA certificates for other purposes (i.e. the IGTF))
- From: Florian Weimer <email@example.com>
- Date: Mon, 10 Jun 2013 07:06:32 +0200
- Message-id: <[🔎] firstname.lastname@example.org>
- In-reply-to: <CAE2SPAZaV0px6cSDYP1CZxHEs0qJZBm+mEBGztaFH6+Vc9bCuA@mail.gmail.com> (Bastien ROUCARIES's message of "Sun, 26 May 2013 20:02:44 +0200")
- References: <519F41BD.email@example.com> <20130525122708.GA29404@falafel.plessy.net> <CAE2SPAZaV0px6cSDYP1CZxHEs0qJZBm+mEBGztaFH6+Vc9bCuA@mail.gmail.com>
* Bastien ROUCARIES:
> Maybe crypto consolidation arround libnss will greatly help here.
> jessie release goal ?
NSS has lots of global state, and its proper initialization from
another library is difficult. Switching over to it is probably
doable, but it's not really straightforward. On the other hand, the
TLS implementation in NSS has been doing host name validation for a
long time, which is still problematic with some of the other
NSS has its own problems with SUID/SGID binaries, but these could be
addressed by switching PR_GetEnv to secure_getenv.