Decide the location of user-specific NSS shared databases on Linux

VERIFIED FIXED

Status

()

Core
Security: PSM
--
enhancement
VERIFIED FIXED
9 years ago
8 years ago

People

(Reporter: Wan-Teh Chang, Unassigned)

Tracking

Trunk
All
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [psm-arch])

(Reporter)

Description

9 years ago
The Chromium browser is using NSS on Linux.  Chromium has
been using NSS without databases (NSS_NoDB_Init), but it's
time for Chromium to use NSS with databases (NSS_InitReadWrite)
so that it can support the addition of root CA certificates
and SSL client authentication.

Most of the Linux Chromium developers develop on Ubuntu
8.04, the latest Ubuntu long-term support (LTS) release.
The system NSS in Ubuntu 8.04 is NSS 3.12.0.3.

I need to tell the Linux Chromium developers how to initialize
NSS (http://bugs.chromium.org/12348).  Based on the info in
https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX, I advised
them to use ~/.pki/nssdb.  The patch is being reviewed at
http://codereview.chromium.org/115626.

But there is a document
http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
that suggests using ~/.config for user-specific configuration
files.  Chromium follows that standard and stores its
configuration files in ~/.config/chromium.

If NSS follows that standard, the NSS databases should be stored
in ~/.config/pki/nssdb.  But I'm not sure if that standard has
been widely adopted.

So, should the user-specific NSS shared databases be stored in
~/.pki/nssdb or ~/.config/pki/nssdb?

Note that Chromium can't use /etc/pki/nssdb yet because it
has to use the system NSS (3.12.0.3) in Ubuntu 8.04.
(Reporter)

Updated

9 years ago
Summary: Determine the location of user-specific NSS shared databases on Linux → Decide the location of user-specific NSS shared databases on Linux

Comment 1

9 years ago
Perhaps NSS can place a shortcut from ~/.pki/nssdb to ~/.config/pki/nssdb for max. compatibility.

BTW, I find /etc/pki64/nssdb rather odd. How about /etc/pki/nssdb64? Is this needed at all, isn't the DB architecture neutral? It would certainly break some RH based implementations. Or perhaps the system wide DB shouldn't be in /etc at all, instead somewhere in /usr/share or /var/lib.

Comment 2

8 years ago
Looking at recent developments, i.e. package nss-sysinit in Fedora Linux, I think the defaults have been decided.

/etc/pki/nssdb/

and

$USER/.pki/nssdb/
Assignee: kaie → nobody
Whiteboard: [psm-arch]
FWIW, chrome/chromium also uses $HOME/.pki/nssdb for its nss database.
Sorry for the pointless message, that was in comment 0.

Comment 5

8 years ago
I propose to mark this resolved fixed.

If I understand correctly, chrome appears to use the ~/.pki/nssdb directory now, too.
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.