Bug 613814

Summary:	dev-java/icedtea-3.3.0 - the NSS security provider was not enabled for this build (sun.security.pkcs11.SunPKCS11 commented in java.security)
Product:	Gentoo Linux	Reporter:	Dennis Schridde <dschridde+gentoobugs>
Component:	Current packages	Assignee:	Andrew John Hughes <gnu_andrew>
Status:	RESOLVED WONTFIX
Severity:	normal	CC:	chewi, java
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Dennis Schridde 2017-03-25 17:47:19 UTC

In my /usr/lib64/icedtea8/jre/lib/security/java.security file I find the following lines:
```
# the NSS security provider was not enabled for this build; it can be enabled
# if NSS (libnss3) is available on the machine. The nss.cfg file may need
# editing to reflect the location of the NSS installation.
#security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
```

However, dev-libs/nss-3.30 is installed. Either the comment is wrong, or the build failed to detect the presence of dev-libs/nss.

# emerge --info dev-java/icedtea dev-libs/nss
Portage 2.3.5 (python 2.7.12-final-42, default/linux/amd64/13.0/desktop/plasma/systemd, gcc-5.4.0, glibc-2.24-r1, 4.10.5-gentoo x86_64)
=================================================================
                         System Settings
=================================================================
System uname: Linux-4.10.5-gentoo-x86_64-AMD_A10-7800_Radeon_R7,_12_Compute_Cores_4C+8G-with-gentoo-2.3
KiB Mem:    14345612 total,    205224 free
KiB Swap:          0 total,         0 free
Timestamp of repository gentoo: Sat, 25 Mar 2017 14:15:01 +0000
sh bash 4.4_p12
ld GNU ld (Gentoo 2.27 p1.0) 2.27
ccache version 3.3.4 [disabled]
app-shells/bash:          4.4_p12::gentoo
dev-java/java-config:     2.2.0-r3::gentoo
dev-lang/perl:            5.24.1-r1::gentoo
dev-lang/python:          2.7.13-r100::sage-on-gentoo, 3.4.6::gentoo, 3.5.3::gentoo
dev-util/ccache:          3.3.4::gentoo
dev-util/cmake:           3.7.2-r1::gentoo
dev-util/pkgconfig:       0.29.2::gentoo
sys-apps/baselayout:      2.3::gentoo
sys-apps/sandbox:         2.10-r4::gentoo
sys-devel/autoconf:       2.13::gentoo, 2.69-r2::gentoo
sys-devel/automake:       1.11.6-r2::gentoo, 1.12.6-r1::gentoo, 1.13.4-r1::gentoo, 1.15-r2::gentoo
sys-devel/binutils:       2.27::gentoo
sys-devel/gcc:            5.4.0-r3::gentoo
sys-devel/gcc-config:     1.8-r1::gentoo
sys-devel/libtool:        2.4.6-r4::gentoo
sys-devel/make:           4.2.1::gentoo
sys-kernel/linux-headers: 4.10::gentoo (virtual/os-headers)
sys-libs/glibc:           2.24-r1::gentoo
Repositories:

gentoo
    location: /var/cache/portage/gentoo
    sync-type: rsync
    sync-uri: rsync://rsync.de.gentoo.org/gentoo-portage
    priority: -1000

flatpak-overlay
    location: /var/lib/layman/flatpak-overlay
    sync-type: laymansync
    sync-uri: git://github.com/fosero/flatpak-overlay.git
    masters: gentoo
    priority: 50

kde
    location: /var/lib/layman/kde
    sync-type: laymansync
    sync-uri: git://anongit.gentoo.org/proj/kde.git
    masters: gentoo
    priority: 50

sage-on-gentoo
    location: /var/lib/layman/sage-on-gentoo
    sync-type: laymansync
    sync-uri: git://github.com/cschwan/sage-on-gentoo.git
    masters: gentoo science
    priority: 50

science
    location: /var/lib/layman/science
    sync-type: laymansync
    sync-uri: git://anongit.gentoo.org/proj/sci.git
    masters: gentoo
    priority: 50

local
    location: /var/cache/portage/local
    masters: gentoo
    priority: 100

ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-pipe -O2 -march=bdver3"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php7.1/ext-active/ /etc/php/cgi-php7.1/ext-active/ /etc/php/cli-php7.1/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-pipe -O2 -march=bdver3"
DISTDIR="/var/cache/portage/distfiles"
EMERGE_DEFAULT_OPTS="--keep-going --nospinner --verbose-conflicts"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs buildsyspkg cgroup compressdebug config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync network-sandbox news parallel-fetch parallel-install preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://ftp.spline.inf.fu-berlin.de/mirrors/gentoo/ http://ftp-stud.hs-esslingen.de/pub/Mirrors/gentoo/ http://distfiles.gentoo.org"
LANG="de_DE.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu"
MAKEOPTS="-j3"
PKGDIR="/var/cache/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="X a52 aac aacplus aacs acl acpi alsa amd64 appindicator appstream archive audit avahi bash-completion bdplus berkdb bluetooth bluray branding bs2b bzip2 cairo caps cdda cddb cdio cdr celt chromaprint cjk clang cli colord colorio conntrack cracklib crypt cups cxx d3d9 dbus declarative dirac dri dts dvb dvd dvdr egl emboss encode exif fam fax ffmpeg fftw firefox fits flac fontconfig fortran fribidi gdbm geoclue geolocation gif git glamor gles gmp googledrive gpm gstreamer gtk gtk3 harfbuzz ibus iconv icu idn inotify ipv6 jemalloc jpeg jpeg2k kde kipi kwallet ladspa latex lcms ldap libinput libnotify libproxy libsecret libsoxr lua_target_lua5-2 lv2 lz4 lzma lzo mad mercurial metis mjpeg mng modemmanager modplug modules mp3 mp4 mpeg mplayer mtp multilib mysql ncurses netlink networkmanager nls nptl ogg openal opencl opencv openexr opengl openmax openmp opus pam pango pcap pch pcre pcre2 pdf phonon plasma png policykit postscript ppds prison pulseaudio qml qt3support qt4 qt5 raw readline rtmp samba scanner schroedinger sctp sdl seccomp semantic-desktop session sparse speech speex spell ssl startup-notification svg systemd tbb tcpd telepathy theora threads tiff timezone truetype tslib udev udisks unicode unwind upnp upnp-av upower usb v4l v4l2 vaapi vdpau vorbis vpx vulkan wavpack wayland webp widgets x264 x265 xattr xcb xcomposite xinerama xml xmp xrandr xscreensaver xv xvid xz zeroconf zlib" ABI_X86="64" ALSA_CARDS="hda-intel" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_EXPERIMENTAL_FEATURES="stage" CALLIGRA_FEATURES="words sheets karbon plan" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx fma3 fma4 mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3xop" ELIBC="glibc" ENLIGHTENMENT_MODULES="*" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="coreboot efi-64 pc" INPUT_DEVICES="joystick libinput" KERNEL="linux" L10N="de en en-GB ar fa tr ja ko zh zh-CN zh-TW" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="de en en_GB ar fa tr" LIRC_DEVICES="devinput" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_4 python3_5 pypy pypy3" RUBY_TARGETS="ruby21" USERLAND="GNU" VIDEO_CARDS="amdgpu" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON

=================================================================
                        Package Settings
=================================================================

dev-java/icedtea-3.3.0::gentoo was built with the following:
USE="alsa cups gtk jbootstrap nsplugin pch pulseaudio sctp shenandoah sunec webstart (-cacao) -doc -examples -headless-awt (-jamvm) -kerberos -libressl -pax_kernel (-selinux) -smartcard -source -test -zero" ABI_X86="64"


dev-libs/nss-3.30::gentoo was built with the following:
USE="nss-pem utils -cacert" ABI_X86="32 64 -x32"

Comment 1 James Le Cuirot gentoo-dev

2017-03-28 07:02:09 UTC

This provider has big memory leaks and shouldn't be used. If you're building from source then NSS is also used in the SunEC provider. If you're using icedtea-bin then we recently switched to the bundled version to avoid ABI breakages.