#2415 F33 Self-Contained Change: NSS dbm support removal
Closed: Accepted 4 years ago by decathorpe. Opened 4 years ago by bcotton.

Network Security Services (NSS) historically supports 2 different database backends, based on SQLite and dbm. Since Fedora 28, the SQLite backend has been used by default and the dbm backend has been deprecated (NSS Default File Format SQL). This Change is about removing the support for the dbm backend entirely.


Probably the change page should describe more where actually this DB is used and how to see that nothing would break.

After one week, I count the vote as (+0,0,-0). Will wait for additional votes.

Consider me technically -1 until @ignatenkobrain's question on the mailing list and his comment here are addressed.

@ueno can you address our concerns please?

Metadata Update from @ignatenkobrain:
- Issue assigned to ueno

4 years ago

Hi, I've replied to Igor's question on the mailing list:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/TUFBFUE77RY3AZNWAUKS32CPEH6ZAEN6/
with an idea that we provide a script to automate the check, but I haven't started thorough research yet; hopefully we can only care about /etc/pki/nssdb, but there might be other locations.

I would appreciate if you could update Change Page accordingly. With that information, I'm +1 on the change.

I would appreciate if you could update Change Page accordingly. With that information, I'm +1 on the change.

Sure, done.

Metadata Update from @ignatenkobrain:
- Assignee reset
- Issue tagged with: fast track

4 years ago

Nacking the fast track, there is no need to rush this, it's old but was updated recently and will be approved in 2 days.

+1 to the change proposal.

Metadata Update from @churchyard:
- Issue untagged with: fast track

4 years ago

Metadata Update from @churchyard:
- Issue tagged with: pending announcement

4 years ago

Metadata Update from @decathorpe:
- Issue close_status updated to: Accepted
- Issue status updated to: Closed (was: Open)

4 years ago

Metadata Update from @bcotton:
- Issue untagged with: F33
- Issue set to the milestone: Fedora 33

3 years ago

The change page claims:

We will provide a script to check NSS databases on known locations and possibly run it during the package upgrade process.

Where is that script? How can I know whether upgrading to Fedora 33 will break my system?

It in the end turned to a scriptlet embedded in nss.spec:
https://src.fedoraproject.org/rpms/nss/blob/master/f/nss.spec#_768

That could be incomplete though as we don't list all the possibilities.

Doing this in %post is inherently flawed because at this point the installed NSS already has DBM support disabled. Or does certutil still support the old format?

That said, my /etc/pki/nssdb/ contains the new files (cert9.db, key4.db, and pkcs11.txt) next to the old files (cert8.db, key3.db, and secmod.db), so I guess it is already migrated.

Log in to comment on this ticket.

Metadata