Most NSS modules are only needed if any software links to them, or loads them at runtime (e.g. as a PKCS#11 module). In extreme cases, we can slim down the installation by more than 1 MiB, and also get rid of the SQLite dependency.
Qt5WebEngine and ecryptfs-utils are currently the only users of NSS, pin down their respective sub-dependencies. Signed-off-by: Roland Hieber <[email protected]> --- v2 -> v3: no changes v1 -> v2: - rebase onto current master - fix ecryptfs depedency, only libsoftokn is needed - format libsoftokn help text a bit nicer rules/ecryptfs-utils.in | 1 + rules/nss.in | 58 ++++++++++++++++++++++++++++++++++++++--- rules/nss.make | 22 +++++++++------- rules/qt5.in | 2 ++ 4 files changed, 71 insertions(+), 12 deletions(-) diff --git a/rules/ecryptfs-utils.in b/rules/ecryptfs-utils.in index 5087f79d3ca2..8a62443bdddb 100644 --- a/rules/ecryptfs-utils.in +++ b/rules/ecryptfs-utils.in @@ -5,6 +5,7 @@ menuconfig ECRYPTFS_UTILS prompt "ecryptfs-utils " select KEYUTILS select NSS + select NSS_INSTALL_LIBSOFTOKN select HOST_INTLTOOL select BASH if ECRYPTFS_UTILS_TESTS select COREUTILS if ECRYPTFS_UTILS_TESTS diff --git a/rules/nss.in b/rules/nss.in index 3e4a07a75404..799bd5a73ae0 100644 --- a/rules/nss.in +++ b/rules/nss.in @@ -1,13 +1,65 @@ ## SECTION=networking -config NSS +menuconfig NSS tristate - prompt "nss" + prompt "nss " select NSPR - select SQLITE + select SQLITE if NSS_INSTALL_LIBSOFTOKN help Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. + +if NSS + +config NSS_INSTALL_LIBSMIME + bool + prompt "install libsmime" + default y + help + Install libsmime3.so, which adds about ~90 kiB to the footprint. + + libsmime provides functionality related to S/MIME (Cryptographic + Message Syntax, PKCS#7) used by secure email and some instant + messaging implementations. + +config NSS_INSTALL_LIBSSL + bool + prompt "install libssl" + default y + help + Install libssl3.so, which adds about ~200 kiB to the footprint. + + libssl implements the Secure Sockets Layer/Transport Layer Security + network protocols. + +config NSS_INSTALL_LIBNSSCKBI + bool + prompt "install libnssckbi" + default y + help + Install libnssckbi.so, which adds about ~350 kiB to the footprint. + + CKBI is a PKCS#11 module which provides a set of trust anchors (Root + CAs) and their trust assignments. + +config NSS_INSTALL_LIBSOFTOKN + bool + prompt "install libsoftokn" + default y + help + Install libfreebl3.so, libfreeblpriv3.so, libsoftokn3.so, and + libnssdbm3.so, which add about ~530 kB to the footprint, as well as an + additional dependency on SQLite. + + FreeBL is a base library providing hash functions, big number + calculations, and cryptographic algorithms. + + DBM is a legacy library providing database storage. + + Softoken is an NSS module that exposes most FreeBL functionality as a + PKCS#11 module, and can make use of DBM or SQLite at runtime. + +endif diff --git a/rules/nss.make b/rules/nss.make index 44febc416711..6a003dd1743f 100644 --- a/rules/nss.make +++ b/rules/nss.make @@ -48,13 +48,18 @@ NSS_MAKE_ENV := \ BUILD_OPT=1 \ MOZILLA_CLIENT=1 \ NS_USE_GCC=1 \ - NSS_USE_SYSTEM_SQLITE=1 \ NSS_ENABLE_ECC=1 \ NSS_DISABLE_GTESTS=1 \ NSPR_INCLUDE_DIR=$(SYSROOT)/usr/include/nspr \ USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1) \ USE_NEON=$(call ptx/ifdef, PTXCONF_ARCH_ARM_NEON,1) +# unless needed, prevent an additional runtime dependency by using the bundled, +# statically-linked sqlite, but not installing anything that links to it +ifndef PTXCONF_NSS_INSTALL_LIBSOFTOKN +NSS_MAKE_ENV += NSS_USE_SYSTEM_SQLITE=1 +endif + NSS_MAKE_PAR := NO NSS_MAKE_OPT := \ OS_ARCH=Linux \ @@ -72,14 +77,13 @@ NSS_INSTALL_OPT := \ NSS_LIBS := \ libnss3 \ libnssutil3 \ - libsmime3 \ - libssl3 \ - libfreebl3 \ - libfreeblpriv3 \ - libnssckbi \ - libnssdbm3 \ - libsoftokn3 - + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSMIME, libsmime3,) \ + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSSL, libssl3,) \ + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBNSSCKBI, libnssckbi,) \ + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreebl3,) \ + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreeblpriv3,) \ + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libnssdbm3,) \ + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libsoftokn3,) $(STATEDIR)/nss.install: @$(call targetinfo) diff --git a/rules/qt5.in b/rules/qt5.in index 162ea8b9beba..a5f8f3b94c4b 100644 --- a/rules/qt5.in +++ b/rules/qt5.in @@ -59,6 +59,8 @@ menuconfig QT5 select NSPR if QT5_MODULE_QTWEBENGINE select HOST_NSPR if QT5_MODULE_QTWEBENGINE select NSS if QT5_MODULE_QTWEBENGINE + select NSS_INSTALL_LIBNSSCKBI if QT5_MODULE_QTWEBENGINE + select NSS_INSTALL_LIBSMIME if QT5_MODULE_QTWEBENGINE select HOST_NSS if QT5_MODULE_QTWEBENGINE select HOST_NINJA if QT5_MODULE_QTWEBENGINE select ALSA_LIB if QT5_MODULE_QTMULTIMEDIA || QT5_MODULE_QTWEBENGINE_MEDIA -- 2.27.0 _______________________________________________ ptxdist mailing list [email protected] To unsubscribe, send a mail with subject "unsubscribe" to [email protected]
