Revision as of 01:18, 27 July 2009

Comments and Explanations
The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To read it, choose the "edit" link.
Copy the source to a new page before making changes! DO NOT EDIT THIS TEMPLATE FOR YOUR FEATURE.

Feature Name

Split Softokn off from NSS

Summary

The softokn cryptographic module of NSS should be split off as nss-softokn package. The utilities library which is a common library required by softokn and the rest of nss utils should also be packaged separately as nss-utils.

Owner

Name: emaldonado

email: emaldona@redhat.com

Current status

Targeted release: Fedora 19
Last updated: (DATE)
Percentage of completion: 75%

Detailed Description

The softokn cryptographic module of NSS should be split off as the nss-softkn pacakage. A set of utilities called by both softokn and the rest of NSS would also need to be packaged as its own package.

NSS is FIPS 140 validated but what is really submitted for FIPS validation is the cryptographic module, that is, softkn. This split is to enable users and packagers to upgrade to the current version of NSS while preserving the last FIPS validated version of the cryptographic module if they so require. Fedora based distributions such as, but not limited to, RHEL would greatly benefit from this feature in terms of maintenance.

Benefit to Fedora

It will make Fedora a convenient Linux distribution to use when trying to be FIPS compliant.

Scope

This will not affect developers as it is a packaging change only and no changes to the NSS API are required nor changes to their build systems. The same libraries are shipped as before. They just get distributed among three packages.

The nss shared libraries which are currently distributed as

 nss: libnss3.so, libnssutil3.so, libnssdbm3.so, libssl3.so, 
      libsmime3.so, libsoftokn3.so, libsoftokn3.chk, libnssckbi.so, libnsspem.so
 softokn-freebl: libfreebl3.so, libfreebl3.chk

would be distributed among the packages as

 nss: libnss3.so, libnssutil3.so, libnssdbm3.so, libssl3.so, libsmime3.so, libnssckbi.so, libnsspem.so
 softokn: libsoftokn3.so, libsoftokn3.chk
 softokn-freebl: libfreebl3.so, libfreebl3.chk
 util: ibnssutil3.so

How To Test

Separately package nss, nss-softokn, and nss-util all having the same version numbers. Separately package nss, and nss-util as the latest release while keeping nss-softokn at an earlier release such as the current release which gor FIPS validated. There should not be conflicts at installation time in either of the above cases. Components that depend on NSS should install withourt conflicts There should be no regressions for components that depend on NSS. Examples of these are glibc, mod_nss, nss_compat_nss, crypto-utils, openswan, and Pidgin's libpurple.

User Experience

Neither developers nor end users should notice any difference with the exception seeing more packages being installed if they look closely at their yum installs or upgrades.

Dependencies

glibc, pmod_nss, nss_compat_nss, crypto-utils, openswan, and libpurple are some packages that depend on NSS. NSSS has no significant dependencies except for NSPR and this would have no effect on this relationship.

Contingency Plan

There are two contingency plans in case this split cannot be accomplished in time. 1) Make softokn and util sub-packages of nss instead of stand-alone packages. 2) Revert to using the current monolithic approach.

Documentation

A proof of concept implementation of this proposal can be obtained by executing

git clone git://fedorapeople.org/~emaldonado/splitnss.git

Release Notes

The Fedora Release Notes should describe the new packaging.

Comments and Discussion

See Talk:Features/SplitSoftoknFromNSS

@@ Line 7: / Line 7: @@
 = Feature Name =
-<!-- The name of your feature -->
+Split Softokn off from NSS
 == Summary ==
-<!-- A sentence or two summarizing what this feature is and what it will do.  This information is used for the overall feature summary page for each release. -->
+The softokn cryptographic module of NSS should be split off as nss-softokn package. The utilities library which is a common library required by softokn and the rest of nss utils should also be packaged separately as nss-utils.
 == Owner ==
-<!--This should link to your home wiki page so we know who you are-->
+* Name: [[User:FASAcountName| emaldonado]]
-* Name: [[User:FASAcountName| Your Name]]
-<!-- Include you email address that you can be reached should people want to contact you about helping with your feature, status is requested, or  technical issues need to be resolved-->
+* email: emaldona@redhat.com
-* email: <your email address so we can contact you, invite you to meetings, etc.>
 == Current status ==
 * Targeted release: [[Releases/{{FedoraVersion||next}} | {{FedoraVersion|long|next}} ]]
 * Last updated: (DATE)
-* Percentage of completion: XX%
+* Percentage of completion: 75%
 <!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. -->
 == Detailed Description ==
-<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
+The softokn cryptographic module of NSS should be split off as the nss-softkn pacakage. A set of utilities called by both softokn and the rest of NSS would also need to be packaged as its own package.
+NSS is FIPS 140 validated but what is really submitted for FIPS validation is the cryptographic module, that is, softkn. This split is to enable users and packagers to upgrade to the current version of NSS while preserving the last FIPS validated version of the cryptographic module if they so require. Fedora based distributions such as, but not limited to, RHEL would greatly benefit from this feature in terms of maintenance.
 == Benefit to Fedora ==
-<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new feature, what capabilities does it bring? Why will Fedora become a better distribution or project because of this feature?-->
+It will make Fedora a convenient Linux distribution to use when trying to be FIPS compliant.
 == Scope ==
-<!-- What work do the developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
+This will not affect developers as it is a packaging change only and no changes to the NSS API are required nor changes to their build systems. The same libraries are shipped as before. They just get distributed among three packages.
-== How To Test ==
+The nss shared libraries which are currently distributed as
-<!-- This does not need to be a full-fledged document.  Describe the dimensions of tests that this feature is expected to pass when it is done.  If it needs to be tested with different hardware or software configurations, indicate them.  The more specific you can be, the better the community testing can be.
+  nss: libnss3.so, libnssutil3.so, libnssdbm3.so, libssl3.so,
+       libsmime3.so, libsoftokn3.so, libsoftokn3.chk, libnssckbi.so, libnsspem.so
+  softokn-freebl: libfreebl3.so, libfreebl3.chk
-Remember that you are writing this how to for interested testers to use to check out your feature - documenting what you do for testing is OK, but it's much better to document what *I* can do to test your feature.
+would be distributed among the packages as
+  nss: libnss3.so, libnssutil3.so, libnssdbm3.so, libssl3.so, libsmime3.so, libnssckbi.so, libnsspem.so
+  softokn: libsoftokn3.so, libsoftokn3.chk
+  softokn-freebl: libfreebl3.so, libfreebl3.chk
+  util: ibnssutil3.so
-A good "how to test" should answer these four questions:
+== How To Test ==
+Separately package nss, nss-softokn, and nss-util all having the same version numbers.
-. What special hardware / data / etc. is needed (if any)?
+Separately package nss, and nss-util as the latest release while keeping nss-softokn at an earlier release such as the current release which gor FIPS validated.
-. How do I prepare my system to test this feature? What packages
+There should not be conflicts at installation time in either of the above cases.
-need to be installed, config files edited, etc.?
+Components that depend on NSS should install withourt conflicts
-. What specific actions do I perform to check that the feature is
+There should be no regressions for components that depend on NSS.
-working like it's supposed to?
+Examples of these are glibc, mod_nss, nss_compat_nss, crypto-utils, openswan, and Pidgin's libpurple.
-. What are the expected results of those actions?
--->
 == User Experience ==
-<!-- If this feature is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
+Neither developers nor end users should notice any difference with the exception seeing more packages being installed if they look closely at their yum installs or upgrades.
 == Dependencies ==
-<!-- What other packages (RPMs) depend on this package?  Are there changes outside the developers' control on which completion of this feature depends?  In other words, completion of another feature owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate?  Other upstream projects like the kernel (if this is not a kernel feature)? -->
+glibc, pmod_nss, nss_compat_nss, crypto-utils, openswan, and libpurple are some packages that depend on NSS. NSSS has no significant dependencies except for NSPR and this would have no effect on this relationship.
 == Contingency Plan ==
-<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "None necessary, revert to previous release behaviour."  Or it might not.  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
+There are two contingency plans in case this split cannot be accomplished in time.
+) Make softokn and util sub-packages of nss instead of stand-alone packages.
+) Revert to using the current monolithic approach.
 == Documentation ==
-<!-- Is there upstream documentation on this feature, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
+* A proof of concept implementation of this proposal can be obtained by executing
-*
+git clone git://fedorapeople.org/~emaldonado/splitnss.git
 == Release Notes ==
-<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
+* The Fedora Release Notes should describe the new packaging.
-<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->
-*
 == Comments and Discussion ==
-* See [[Talk:Features/YourFeatureName]]  <!-- This adds a link to the "discussion" tab associated with your page.  This provides the ability to have ongoing comments or conversation without bogging down the main feature page -->
+* See [[Talk:Features/SplitSoftoknFromNSS]]
 [[Category:FeaturePageIncomplete]]
 <!-- When your feature page is completed and ready for review -->
 <!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
 <!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
 <!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->
-<!-- Note that the current Feature guidelines require useful Scope and Test Plans at certain milestones; QA is responsible for checking these, and will change this category as needed. -->

Fedora

Personal tools

Views

wiki

Navigation

sub-projects

Search

Toolbox

Features/FeatureReadyForWrangler/SplitSoftoknFromNSS

From FedoraProject