Network Security Services (NSS) historically supports 2 different database backends, based on SQLite and dbm. Since Fedora 28, the SQLite backend has been used by default and the dbm backend has been deprecated (NSS Default File Format SQL). This Change is about removing the support for the dbm backend entirely.
Probably the change page should describe more where actually this DB is used and how to see that nothing would break.
After one week, I count the vote as (+0,0,-0). Will wait for additional votes.
Consider me technically -1 until @ignatenkobrain's question on the mailing list and his comment here are addressed.
@ueno can you address our concerns please?
Metadata Update from @ignatenkobrain: - Issue assigned to ueno
@ueno ping.
Hi, I've replied to Igor's question on the mailing list: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/TUFBFUE77RY3AZNWAUKS32CPEH6ZAEN6/ with an idea that we provide a script to automate the check, but I haven't started thorough research yet; hopefully we can only care about /etc/pki/nssdb, but there might be other locations.
I would appreciate if you could update Change Page accordingly. With that information, I'm +1 on the change.
Sure, done.
https://fedoraproject.org/w/index.php?title=Changes/NSSDBMRemoval&diff=582427&oldid=580372
Proposing fast-track for this, since it is quite old.
+1
@kevin @churchyard @zbyszek @sgallagh @ngompa @cverna @decathorpe @dcantrel please vote :)
Metadata Update from @ignatenkobrain: - Assignee reset - Issue tagged with: fast track
Nacking the fast track, there is no need to rush this, it's old but was updated recently and will be approved in 2 days.
+1 to the change proposal.
Metadata Update from @churchyard: - Issue untagged with: fast track
APPROVED (+6,0,-0)
Metadata Update from @churchyard: - Issue tagged with: pending announcement
Announced: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/NHIKO64AWRW72LEOD3LMJ5E6FJT62CED/
Metadata Update from @decathorpe: - Issue close_status updated to: Accepted - Issue status updated to: Closed (was: Open)
Metadata Update from @bcotton: - Issue untagged with: F33 - Issue set to the milestone: Fedora 33
The change page claims:
We will provide a script to check NSS databases on known locations and possibly run it during the package upgrade process.
Where is that script? How can I know whether upgrading to Fedora 33 will break my system?
It in the end turned to a scriptlet embedded in nss.spec: https://src.fedoraproject.org/rpms/nss/blob/master/f/nss.spec#_768
That could be incomplete though as we don't list all the possibilities.
Doing this in %post is inherently flawed because at this point the installed NSS already has DBM support disabled. Or does certutil still support the old format?
%post
certutil
That said, my /etc/pki/nssdb/ contains the new files (cert9.db, key4.db, and pkcs11.txt) next to the old files (cert8.db, key3.db, and secmod.db), so I guess it is already migrated.
/etc/pki/nssdb/
cert9.db
key4.db
pkcs11.txt
cert8.db
key3.db
secmod.db
Login to comment on this ticket.