Re: dropping NSS DBM format support in F33+

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Apr 27, 2020 at 5:54 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> On Sat, Apr 25, 2020 at 1:21 PM Justin Forbes <jmforbes@xxxxxxxxxxx> wrote:
> > On Sat, Apr 25, 2020 at 10:21 AM Daiki Ueno <ueno@xxxxxxxxxxxxxxxxx> wrote:
> > >
> > > Hello Ondrej,
> > >
> > > Ondrej Mosnacek <omosnace@xxxxxxxxxx> writes:
> > >
> > > > On Fri, Apr 24, 2020 at 11:12 PM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
> > > >> On Fri, Apr 24, 2020 at 8:50 PM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
> > > >> > On Wed, Apr 22, 2020 at 10:12 AM Daiki Ueno <ueno@xxxxxxxxxxxxxxxxx> wrote:
> > > >> > > Hello,
> > > >> > >
> > > >> > > I am not sure if this deserves a Fedora Change proposal, so I'd like to
> > > >> > > hear any opinions first before proceeding with the process.
> > > >> > >
> > > >> > > NSS (the crypto library used by Firefox) historically supports 2
> > > >> > > database formats: SQLite and DBM.  The latter is considered legacy and
> > > >> > > we switched the default database format to SQLite in F28[1].  Since then
> > > >> > > I presume most of the applications have switched to the new format.
> > > >> > > Therefore we are planning to phase out the support of DBM, targetting
> > > >> > > F33+.
> > > >> > >
> > > >> > > Please let me know if there is any concern.
> > > >> >
> > > >> > It seems this broke the kernel build. I did some scratch build today
> > > >> > to test some patches, but it failed with this:
> > > >> >
> > > >> > + /usr/bin/pesign -c 'Red Hat Test Certificate' --certdir
> > > >> > /etc/pki/pesign-rh-test -i arch/x86/boot/bzImage -o vmlinuz.signed -s
> > > >> > pesign: Could not initialize nss.
> > > >> > NSS says "The certificate/key database is in an old, unsupported
> > > >> > format." errno says "No such file or directory"
> > > >> > error: Bad exit status from /var/tmp/rpm-tmp.YKqoK0 (%build)
> > > >> > RPM build errors:
> > > >> >     Bad exit status from /var/tmp/rpm-tmp.YKqoK0 (%build)
> > > >> > Child return code was: 1
> > > >>
> > > >> Probably related: https://github.com/rhboot/pesign/issues/34
> > > >
> > > > I filed a bug against pesign here:
> > > > https://bugzilla.redhat.com/show_bug.cgi?id=1827902
> > >
> > > Good catch, and thank you for filing the bug.  For the meantime I
> > > reverted the DBM disablement to unblock the kernel package build:
> > > https://src.fedoraproject.org/rpms/nss/c/fc0174ead16bac476cce55fb2918fbfd9b448023?branch=master
> > >
> >
> > Thanks for that, I know they were working on a fix for pesign on
> > Friday, but I am not sure what their timeframe is.
>
> I hit this over the weekend, does anyone have a workaround?

The NSS change has been reverted, so kernel builds should work now
(worked for me this morning [CEST]).

-- 
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.
_______________________________________________
kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Tux]     [Yosemite News]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [USB]     [Asterisk PBX]

  Powered by Linux