According to https://bugzilla.mozilla.org/show_bug.cgi?id=449498 and https://bugzilla.mozilla.org/show_bug.cgi?id=454036 one can replace libnssckbi.so with p11-kit-trust.so (from app-crypt/p11-kit) to make Firefox/Chrome respect system CA/Certs I tried this using a symlink: gentoo-jocke lib64 # pwd /usr/lib64 gentoo-jocke lib64 # ls -l libnssckbi.so lrwxrwxrwx 1 root root 23 Jul 20 18:21 libnssckbi.so -> pkcs11/p11-kit-trust.so* and it worked well in Firefox Can we have a USE flag in dev-libs/nss which install a symlink instead of libnssckbi.so ?
Question: Is there some portage feature I can use to protect the above symlink so newer dev-libs/nss won't overwrite it?
I should mention that this is what Fedora does.
You might try adding an install mask. For example, in my /etc/portage/make.conf I have INSTALL_MASK="/usr/lib64/libnssckbi.so" , and so nothing will overwrite that file when emerged.
(In reply to gentoo from comment #3) > You might try adding an install mask. For example, in my > /etc/portage/make.conf I have INSTALL_MASK="/usr/lib64/libnssckbi.so" , and > so nothing will overwrite that file when emerged. Ahh, forgot about INSTALL_MASK. Seems like already did this before my bug? Then I am not alone in Gentoo land. Mozilla team, is this on you radar?
On our radar, yes. We haven't decided what we're going to do with it yet though.
(In reply to Ian Stakenvicius from comment #5) > On our radar, yes. We haven't decided what we're going to do with it yet > though. * blip * :)
I think your radar needs some maintenance ... :)
(In reply to Joakim Tjernlund from comment #7) > I think your radar needs some maintenance ... :) The problem here is that I really do not feel qualified to mess with a security package like dev-libs/nss at all, and have been riding the coattails of those before me in any commits that I do. Those that *are* qualified have been significantly unavailable as of late. I would recommend sticking with the INSTALL_MASK method to protect your override for now. We will absolutely leave the bug open in the meantime.
(In reply to Ian Stakenvicius from comment #8) > (In reply to Joakim Tjernlund from comment #7) > > I think your radar needs some maintenance ... :) > > The problem here is that I really do not feel qualified to mess with a > security package like dev-libs/nss at all, and have been riding the > coattails of those before me in any commits that I do. Those that *are* > qualified have been significantly unavailable as of late. > > I would recommend sticking with the INSTALL_MASK method to protect your > override for now. We will absolutely leave the bug open in the meantime. Ian, it is fine to override with an experimental/unsupported useflag. We will not be responsible for any break and it needs to be made extremely clear.
If you feel I have closed your bug and it is still a current issue, please reopen and update it completely. We will not work bugs that have no ebuild in tree any longer or can not be reproduced with a current system. Thank You for your support and understanding The Mozilla Team