well, obviously the firefox profile is used because NSS wants to find its certificates for digital signing.
I would also argue that it shouldn't request "w" permissions, but "r" is expected. I also suggested using ~/.pki/nssdb but... 16:41 < _rene_> is there any plan to be able to use ~/.pki/nssdb? (see https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX) 16:41 < _rene_> instead of the mozilla profile? 16:42 -!- hallnknight [~hallnknig@2401:4900:3b30:951d:983d:6f8:9c88:2aef] has joined #libreoffice-dev 16:42 < _rene_> (context: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975951 and https://bugs.documentfoundation.org/show_bug.cgi?id=119811) 16:42 < IZBot> bug 119811: LibreOffice-LibreOffice normal/medium NEW LibreOffice 6.0.6 spies on my Firefox keychain when opening MS documents 16:43 < mst___> _rene_, if there's some UI for users to add their certs to that location then sure 16:44 < _rene_> one can do so without a UI? not everything needs a UI? 16:44 < _rene_> at least make it honour that path in addition 16:45 < _rene_> mst___: users nowadays also don't use firefox :) 16:48 <@thorsten> _rene_: thought nss can only use one path? 16:49 < _rene_> no idea, can't one initialize nss two times and use one instance for firefox and the other for that one? 16:49 < _rene_> I mean, there must be more application not relying only on firefox? 16:50 <@thorsten> we had similar issues with thunderbird vs. firefox cert stores, 16:50 < _rene_> mmh 16:50 <@thorsten> IIRC the suggestion was for users to set the proper env var, 16:50 <@thorsten> and we're off the hook? 16:50 <@vmiklos> or just set their preferred path in LO, using tools -> options 16:51 < _rene_> but MOZILLA_CERTIFICATE_FOLDER if you mean that will expect a firefox profile and not work with ~/.pki/nssdb, will it? 16:52 <@vmiklos> you would have to check, possibly both just contain files like certX.db and keyY.db, so perhaps works out of the box 16:52 -!- OlegShtch [[email protected]] has joined #libreoffice-dev 16:52 < _rene_> ah, right, there's the "Options", didn't know 16:54 < _rene_> ok, related to this: 16:54 < _rene_> why does LO request w permissions? 16:54 < _rene_> r should simply suffice, shouldn't it? 16:55 < _rene_> or is this nss actually opening it? (I guess so...) 16:56 -!- hallnknight [~hallnknig@2401:4900:3b30:951d:983d:6f8:9c88:2aef] has quit [Ping timeout: 264 seconds] 16:56 -!- sberg [[email protected]] has quit [Quit: Leaving] 16:56 <@vmiklos> i guess ideally it should be read-only, right. 16:56 -!- hallnknight [[email protected]] has joined #libreoffice-dev 16:57 * _rene_ writes that into https://bugs.documentfoundation.org/show_bug.cgi?id=119811 16:57 < IZBot> bug 119811: LibreOffice-LibreOffice normal/medium NEW LibreOffice 6.0.6 spies on my Firefox keychain when opening MS documents 16:57 < _rene_> (with the chat here cut'n'pasted) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to libreoffice in Ubuntu. https://bugs.launchpad.net/bugs/1862331 Title: [upstream] mozilla cert8.db and key3.db are denied by apparmor Status in LibreOffice: Confirmed Status in libreoffice package in Ubuntu: New Bug description: libreoffice accesses firefox's cert8.db and key3.db, i have found this from apparmor log messages. i googled "libreoffice cert8.db key3.db" and have found out that seems libreoffice does this by design. see https://bugs.documentfoundation.org/show_bug.cgi?id=119811 , https://weekly-geekly.github.io/articles/357692/index.html . do you agree with this? then there should be allow rule, i think. if you do not, then should be a comment and / or deny rule. does libreoffice really need write access to these files? i think it can potentially add some bad certificates, and some sites would have verified sign then, while user has not added it to exceptions. i think if user have not secured his master password, it can be considered it is ok if some app can access his passwords. i think this pages also can be helpful: https://stackoverflow.com/questions/45126738/what-is-cert8-db-and-key3 -db-file , https://developer.mozilla.org/en- US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil , these are found by googling "cert8.db key3.db". this also can be helpful: https://en.wikipedia.org/wiki/Public_key_certificate . To manage notifications about this bug go to: https://bugs.launchpad.net/df-libreoffice/+bug/1862331/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
