Closed Bug 272905 Opened 20 years ago Closed 20 years ago

Add root CA certificate NSS patch to Camino

Categories

(Camino Graveyard :: General, enhancement)

Product:
Camino Graveyard
Component:
General
Platform:
PowerPC
macOS
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: hecker, Assigned: mikepinkerton)

References

Details

I've approved a bunch of new CAs to have their root CA certificates added to
Mozilla, etc. Nelson Bolyard has created an NSS patch to add those new CA certs
to the NSS built-in cert library (see bug 271585). I'm requesting that this NSS
patch for the new CA certs be added to future versions of Camino. (Nelson can
explain more about the actual patch and how it relates to the official NSS
releases.)
what do we need to do from a packaging standpoint in order to pick these up?
I'll defer to Nelson Bolyard for the definitive answer, but my understanding is
that this depends on whether you're pulling from the NSS trunk, from an NSS
branch maintained by the NSS team, or maintaining your own NSS branch. The CA
cert patch is currently on the NSS trunk and the NSS 3.9 branch, so if you're
pulling from either of those you should be OK. (But that needs to be confirmed,
which is why I filed the bug.)

The certs themselves end up in a dedicated shared library
(Camino.app/Contents/MacOS/libnssckbi.dylib for Camino). AFAIK this should be
the only Camino component affected by applying this patch.

camino pulls nss the same way that firefox/seamonkey pulls it. what do they do?
My understanding is that Firefox and Thunderbird are currently maintaining their
own copy of NSS on the aviary branch, so the root CA cert patch would need to be
separately applied to that branch in order for the certs to show up in a 1.0.x
release of those products. So I'm not sure that Camino is doing exactly the same
thing as Firefox (at least up through FF 1.0).

In any case, I just checked Camino 0.82 by doing

strings /Applications/Camino.app/Contents/MacOS/libnssckbi.dylib | grep Unizeto

(since Camino doesn't have a cert manager yet :-) and it's clear that Camino
picked up the last set of root CA changes, made sometime before FF 1.0 release.
However the latest 12/6 nightly does *not* have the new root CA certs that were
just added to the NSS trunk and NSS 3.9 branch. (I grep'ed libnssckbi.dylib for
"Sonera" and other names of the newly-added CAs.) So maybe Camino is pulling
from a Seamonkey copy of NSS?
ah, yes, i guess we're pulling whatever seamonkey pulls. i was unaware that the
branch for FF was different...that seems VERY wrong.

why was this done?
Depends on: 272903
Comments in bug 272903 seem to indicate that SeaMonkey should be pulling the
right files--and therefore Camino should now be doing so, too, correct?

strings /Applications/Internet/Camino.app/Contents/MacOS/libnssckbi.dylib | grep
Sonera

on a 23 Jan 0.8+ build comes back with several entries for Sonera.  So this bug
can be resolved/fixed now, too, or is something still needed for the potential
0.8.3?
I just ran the strings /Applications/Camino.app/Contents/MacOS/libnssckbi.dylib
| grep Sonera command on the 0.8.3 candidate build and got the same results as
from a recent 0.8+ nightly and a recent Fx 1.0+ nightly, so it seems that
everything has been resolved with the fix for bug 272903.

Based on that, I'm also marking resolved/fixed to get it off the list.  (I don't
think I've ever resolved/fixed a bug before, so if I've missed something, or it
should remain open for some reason, I apologize....)
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.