It looks like symlinking firefox and thunderbird's own copies of libnssckbi.so to the system-wide p11-kit-trust.so is the proper way to fix this bug, as far as Mozilla's products are concerned.
Before I proceed to doing this, I'd welcome comments from the security team on this approach though, as I suspect I don't understand all the implications. (an alternative would be building firefox/thunderbird against the system-wide nss, but firefox currently requires 3.50, which isn't yet in focal, and I suspect that requirement is being bumped often, so that wouldn't really work with our distribution model) ** Changed in: firefox (Ubuntu) Status: New => Confirmed ** Changed in: firefox (Ubuntu) Assignee: (unassigned) => Olivier Tilloy (osomon) ** Changed in: thunderbird (Ubuntu) Assignee: (unassigned) => Olivier Tilloy (osomon) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1647285 Title: SSL trust not system-wide To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1647285/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs