From Fedora Project Wiki
Line 47: Line 47:


== How To Test ==
== How To Test ==
Separately package nss, nss-softkn, and nss-util all having the same version numbers.
Separately package nss, nss-softokn, and nss-util all having the same version numbers.
Separately package nss, and nss-util as the very latest release while keeping nss-softn at an earlier release such as the current release which gor FIPS validated.
Separately package nss, and nss-util as the latest release while keeping nss-softokn at an earlier release such as the current release which gor FIPS validated.
There should not be any conflicts at installation time.
There should not be conflicts at installation time in either of the above cases.
There should be no regressions for components that depend on NSS such as: glibc, pimod_nss, nss_compat_nss, crypto-utils, openswan, and Pidgin's libpurple.
Components that depend on NSS should install withourt conflicts
 
There should be no regressions for components that depend on NSS.
Examples of these are glibc, mod_nss, nss_compat_nss, crypto-utils, openswan, and Pidgin's libpurple.


== User Experience ==
== User Experience ==

Revision as of 22:18, 21 July 2009

Important.png
Comments and Explanations
The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To read it, choose the "edit" link.
Copy the source to a new page before making changes! DO NOT EDIT THIS TEMPLATE FOR YOUR FEATURE.


Feature Name

Split Softoken off from NSS

Summary

The softokn cryptographic module of NSS should be split off as nss-softokn package. The utilities library which is a common library required by softokn and the rest of nss utils should also be packaged separately as nss-utils.

Owner

  • email: emaldona@redhat.com

Current status

  • Targeted release: Fedora 40
  • Last updated: (DATE)
  • Percentage of completion: 50%


Detailed Description

The softokn cryptographic module of NSS should be split off as the nss-softkn pacakage. A set of utilities called by both softokn and the rest of NSS would also need to be packaged as its own package.

NSS is FIPS 140 validated but what is really submitted for FIPS validation is the cryptographic module, that is, softkn. This split is to enable users and packagers to upgrade to the current version of NSS while preserving the last FIPS validated version of the cryptographic module if they so require. Fedora based distributions such as, but not limited to, RHEL would greatly benefit from this feature in terms of maintenance.

Benefit to Fedora

It will make Fedora a convenient Linux distribution to use when trying to be FIPS compliant.

Scope

This will not affect developers as it is a packaging change only and no changes to the NSS API are required nor changes to their build systems. The same libraries are shipped as before. They just get distributed among three packages.

The nss shared libraries currently distributed as

 nss: libnss3.so, libnssutil3.so, libnssdbm3.so, libssl3.so, 
      libsmime3.so, libsoftokn3.so, libsoftokn3.chk, libnssckbi.so, libnsspem.so
 softokn-freebl: libfreebl3.so, libfreebl3.chk

would be distributed as I) nss: libnss3.so, libnssdbm3.so, libssl3.so, libsmime3.so, libnssckbi.so, libnsspem.so I) softokn: libsoftokn3.so, libsoftokn3.chk

  softokn-freebl: libfreebl3.so, libfreebl3.chk

III) nss-util: libnssutil3.so

How To Test

Separately package nss, nss-softokn, and nss-util all having the same version numbers. Separately package nss, and nss-util as the latest release while keeping nss-softokn at an earlier release such as the current release which gor FIPS validated. There should not be conflicts at installation time in either of the above cases. Components that depend on NSS should install withourt conflicts There should be no regressions for components that depend on NSS. Examples of these are glibc, mod_nss, nss_compat_nss, crypto-utils, openswan, and Pidgin's libpurple.

User Experience

Neither developers nor end users should notice any difference with the exception seeing more packages being installed if they look closely at their yum installs or upgrades.

Dependencies

glibc, pmod_nss, nss_compat_nss, crypto-utils, openswan, and libpurple are some packages that depend on NSS. NSSS has no significant dependencies except for NSPR and this would have no effect on this relationship.


Contingency Plan

There are two contingency plans in case this split cannot be accomplished in time. 1) Make softkn and util subpacakes of nss instead of separte packages. 2) Revert to the current monolithic approach.

Documentation

  • A proof of concept implementation of this proposal can be obtained by executing

git clone git://fedorapeople.org/~emaldonado/splitnss.git

Release Notes

  • The Fedora Release Notes should describe the new packaging.

Comments and Discussion