10.04.2016, 19:06, Ryan Tandy kirjoitti: > On Sun, Apr 10, 2016 at 12:11:40PM +0300, Timo Aaltonen wrote: >> Building from the same root would mean unapplying nss-build.diff on >> clean and that might be fragile. Using quilt and keeping the patch last >> on series makes adding patches to need a bit more work. But if you >> prefer this more then I can make that happen. > > My preference for that was assuming we could build identical source with > different options, but it looks like we have several reasons for using > modified sources. > >> I've pushed new commits to the branch trying to address all the things >> you've mentioned. But looks like #726116 might make all of this too >> early. > > Ah. That's unfortunate. > > The obvious workaround is to give the NSS build its own config file, > with the ca-certificates.crt reference removed. Not exactly ideal, and > it causes us upgrade grief later on if we want to switch back to having > the same file for both. > > Actually gnutls28 is configured with a default trust store these days. I > should look into whether that works with libldap and that default > setting could be dropped. Not sure about upgraded systems though; we > aren't supposed to modify conffiles in maintainer scripts, so we'd be > relying on users to accept the change. Sounds fragile.
Ok, I've got some news and I think they're good: 389ds is working on getting rid of the dependency on nss: http://www.port389.org/docs/389ds/design/allow-usage-of-openldap-lib-w-openssl.html and I've tested the patch and verified that replication with starttls works now and uploaded it to unstable, so I'd say screw with libldap-nss at this point :) -- t
