NSS Refactor 3 12

From MozillaWiki
Jump to: navigation, search

NSS Packaging Refactor for 3.12

The "Current" Dependency Tree

This is the "current" NSS dependency tree (NSS 3.12) based on changes to from libpkix and shared database.

libcrmf.a

  • Built with sources in nss/lib/crmf
  • Static library only.

Hostgator VPS Coupon Hostgator Reseller Coupon Hostgator 1 cent coupon

libsmime3.so

  • Built with sources in nss/lib/smime
  • Statically linked with objects in nss/lib/pkcs12 and nss/lib/pkcs7
  • Depends on libnss3.so
  • Depends on nspr*

libssl3.so

  • Built with sourced in nss/lib/ssl
  • Statically lined with library libreebl.a (nss/lib/freebl^)
  • Depends on libnss3.so
  • Depends on libfreebl.so^
  • Depends on nspr*

libnss3.so

  • Built with sources in nss/lib/nss
  • Statically linked with objects in:
    • nss/lib/certhigh
    • nss/lib/cryptohi
    • nss/lib/pk11wrap
    • nss/lib/certdb
    • nss/lib/util
    • nss/lib/pki
    • nss/lib/dev
    • nss/lib/base
    • nss/lib/libpkix/pkix/certsel
    • nss/lib/libpkix/pkix/checker
    • nss/lib/libpkix/pkix/params
    • nss/lib/libpkix/pkix/results
    • nss/lib/libpkix/pkix/top
    • nss/lib/libpkix/pkix/util
    • nss/lib/libpkix/pkix/crlsel
    • nss/lib/libpkix/pkix/store
    • nss/lib/libpkix/pkix_pl_nss/pki
    • nss/lib/libpkix/pkix_pl_nss/system
    • nss/lib/libpkix/pkix_pl_nss/module
  • Depends libsoftokn3.so
  • Depends on nspr*

libsoftokn3.so

  • Built with sources in nss/lib/softoken
  • Statically linked with libraries:
    • libsecutil.a (nss/lib/util)
    • libfreebl.a (nss/lib/freebl^)
  • Depends on libfreebl.so^
  • Depends on liblgdbm3.so^^
  • Depends on nspr*
^NOTE: Freebl dependency is dynamically loaded with DLopen and won't show up
on a normal dependency list.
^^NOTE2: liblgdbm.so dependency is also dynamically loaded with DLopen. 
It is only loaded if needed to process legacy databases.

liblgdbm3.so

  • Built with sources in nss/lib/softoken
  • Statically linked with libraries:
    • libsecutil.a (nss/lib/util)
    • libdbm.a (dbm)
    • libfreebl.a (nss/lib/freebl^)
  • Depends on libfreebl.so^
  • Depends on nspr*

libfreebl.so

  • Built with soruces in nss/lib/freebl
  • Statically linked with libraries:
    • libsecutil.a (nss/lib/util)
    • libdbm.a (dbm)

libnssckbi.so

  • Built with sources in nss/lib/ckfw/builtins
  • Statically linked with libraries:
    • libnssckfw.a (nss/lib/ckfw)
    • libssb.a (nss/lib/base)
  • Depends on nspr*

libnsscapi.so

  • Built with sources in nss/lib/ckfw/capi
  • Statically linked with libraries:
    • libnssckfw.a (nss/lib/ckfw)
    • libssb.a (nss/lib/base)
    • libfreebl.a (nss/lib/freebl^)
  • Depends on libfreebl.so^
  • Depends on nspr*

libnssmkey.so

  • Built with sources in nss/lib/ckfw/mkey
  • Statically linked with libraries:
    • libnssckfw.a (nss/lib/ckfw)
    • libssb.a (nss/lib/base)
    • libfreebl.a (nss/lib/freebl^)
  • Depends on libfreebl.so^
  • Depends on nspr*

Analysis

For the most part these are pretty much straight line dependencies, distinct dependencies.

The exceptions are nss/lib/base, nss/lib/util and nss/lib/freebl.

nss/lib/freebl

nss/lib/freebl is really a static binding to a loader function with an explicit dynamic load, so in practice there is very little in freebl that is actually 'copied' between components. It can really be considered a shared library dependency even though it won't show up on an ldd.

nss/lib/base

nss/lib/base is used in both libnss3.so and libckbi.so. This is the only runtime dependency libckbi.so has on the rest of NSS. Unfortately nss/lib/base depends on some headers in nss/lib/util, and nss/lib/ckfw depends on some headers in nss/lib/softoken.

nss/lib/util

nss/lib/util is used by libnss3.so, libsoftkn3.so. liblgdbm.so and libfreebl.so. Besided the copy issue, util also creates an issue for libsoftkn3.so and libfreebl.so because the latter or FIPS modules, changes to nss/lib/util technically affect the FIPS validation. Since nss/lib/util does not participate in the management of CPS, it is usually possible to reinstate the validation with a review and letter from the lab.

ckfw/* dependencies

With capi and mkey, ckfw depends on freebl. Since freebl depends on util, then it makes since that you would need base, util, freebl to build ckfw. As with NSS 3.11, there is also a build time dependency on the headers in softoken

Recommendations

  1. Make util it's own shared library. There are a number of issues with this which are discussed here.
  2. Bundle util and base as a 'basic' NSS package which can be built separately from the rest of nss (Question, should base be rolled into util, remain it's own static library, or become it's own shared library?).
  3. Bundle freebl and softoken as a 'crypto' NSS package which can be built separately, depending only on itself and basic.
  4. Bundle ckfw as a 'modules' NSS package which can be built separately, depending on itself, basic, and crypto.
  5. Bundle the rest of NSS as a 'nss' NSS package, which can be built separately, depending only on itself, basic, and crypto. (NOTE: it does not depend on 'modules'. (Question, should ssl and smime be separate packages as well?).

Other question: crmf is currently a static only library, currently only used by tools and mozilla. Is it time for crmf to become it's own shared library?

Update: It looks like capi and mkey do *NOT* depend on freebl, so it is possible to make ckfw it's own module which only depends on base. This leads to the question: do we want to make ckfw independent of util and softoken, including build time dependencies. In that case it argues for libbase to be it's own package.

Retrieved from "https://wiki.mozilla.org/index.php?title=NSS_Refactor_3_12&oldid=421589"