Web lists-archives.com

Re: basilisk-browser

On Fri, Oct 19, 2018 at 12:28:16PM +0300, Reco wrote:
> Ridiculous or not, but stable's firefox-esr contains their own private
> version of NSS - [1]. Same for the thunderbird.
> But they try to keep it sane, so at least firefox does not embed
> 'correct' version of GTK3, for example.

That is very frustrating because there was a time when those
Mozilla-related packages used the system libnss.  Modifying the system
libnss to include an additional cetificate authority was the closest I
could get to deploying an internal CA within a network of Debian
machines (similar to how a Windows admin can push a CA to a bunch of
Windows machines via GPO).

However, they switched to bundled libnss at some point and my choices
became either rebuild each Mozilla-related package (FF, TB, etc.) or
have users manually install the CA.  Rebuilding those packages wasn't
worth the trouble.

It is really frustrating as this is one of those nagging inconveniences
(the lack of a standardized system-wide certificate store that is
actually used by all applications) of Linux that seems like it really
should have been resolved by now.


Roberto C. Sánchez