NSS Refactor 3 11: Difference between revisions
| Line 60: | Line 60: | ||
dependencies. | dependencies. | ||
The exceptions are nss/lib/base, nss/lib/util and nss/lib/freebl. | The exceptions are nss/lib/base, nss/lib/util and nss/lib/freebl. | ||
is really a static binding to a loader function, so in practice there is | |||
very little in freebl that is actually 'copied' between components. | ==== nss/lib/freebl ==== | ||
nss/lib/freebl | |||
is really a static binding to a loader function with and explicit dynamical | |||
load, so in practice there is very little in freebl that is actually 'copied' between components. It can really be considered a shared library dependency | |||
even though it won't show up on an ldd. | |||
==== nss/lib/base ==== | |||
nss/lib/base is used in both libnss3.so and libckbi.so. This is the only | nss/lib/base is used in both libnss3.so and libckbi.so. This is the only | ||
| Line 76: | Line 82: | ||
# Between 3.11 and 3.12 whatnspr.c was removed. | # Between 3.11 and 3.12 whatnspr.c was removed. | ||
==== nss/lib/util ==== | |||
nss/lib/util is used by libnss3.so, libsoftkn3.so and libfreebl.so. | nss/lib/util is used by libnss3.so, libsoftkn3.so and libfreebl.so. | ||
Besided the copy issue, util also creates an issue for libsoftkn3.so and libfreebl.so because the latter or FIPS modules, changes to nss/lib/util technically affect the FIPS validation. Since nss/lib/util does not participate in the management of CPS, it is usually possible to reinstate the validation with a review and letter from the lab. | |||
=== ckfw/nssckbi dependencies === | === ckfw/nssckbi dependencies === | ||
Revision as of 22:56, 8 June 2007
NSS Packaging Refactor for 3.11
The Current Dependency Tree
Current NSS dependency tree (NSS 3.11.X).
libcrmf.a
- Built with sources in nss/lib/crmf
- Static library only.
libsmime3.so
- Built with sources in nss/lib/smime
- Statically linked with objects in nss/lib/pkcs12 and nss/lib/pkcs7
- Depends on libnss3.so
- Depends on nspr*
libssl3.so
- Built with sourced in nss/lib/ssl
- Statically lined with library libreebl.a (nss/lib/freebl^)
- Depends on libnss3.so
- Depends on libfreebl.so^
- Depends on nspr*
libnss3.so
- Built with sources in nss/lib/nss
- Statically linked with objects in:
- nss/lib/certhigh
- nss/lib/cryptohi
- nss/lib/pk11wrap
- nss/lib/certdb
- nss/lib/util
- nss/lib/pki
- nss/lib/dev
- nss/lib/base
- Depends libsoftokn3.so
- Depends on nspr*
libsoftokn3.so
- Built with sources in nss/lib/softoken
- Statically linked with libraries:
- libsecutil.a (nss/lib/util)
- libdbm.a (dbm)
- libfreebl.a (nss/lib/freebl^)
- Depends on libfreebl.so^
- Depends on nspr*
^NOTE: Freebl dependency is dynamically loaded with DLopen and won't show up on a normal dependency list.
libfreebl.so
- Built with soruces in nss/lib/freebl
- Statically linked with libraries:
- libsecutil.a (nss/lib/util)
- libdbm.a (dbm)
libnssckbi.so
- Built with sources in nss/lib/ckfw/builtins
- Statically linked with libraries:
- libnssckfw.a (nss/lib/ckfw)
- libssb.a (nss/lib/base)
- Depends on nspr*
Analysis
For the most part these are pretty much straight line dependencies, distinct dependencies.
The exceptions are nss/lib/base, nss/lib/util and nss/lib/freebl.
nss/lib/freebl
nss/lib/freebl is really a static binding to a loader function with and explicit dynamical load, so in practice there is very little in freebl that is actually 'copied' between components. It can really be considered a shared library dependency even though it won't show up on an ldd.
nss/lib/base
nss/lib/base is used in both libnss3.so and libckbi.so. This is the only runtime dependency libckbi.so has on the rest of NSS. Unfortately nss/lib/base depends on some headers in nss/lib/util, and nss/lib/ckfw depends on some headers in nss/lib/softoken.
nss/lib/base is one of the slowest changing directories in the NSS tree. Since NSS 3.9 there have been a grand total of 4 changes made to that tree:
- Between 3.9 and 3.10 the license changed from dual to tri-license.
- Between 3.9 and 3.10 two pointers were changed from &pointer[offset] to pointer+offset (offset was negative, and the new code is more readable).
- Between 3.11.2 and 3.11.3 alex fixed a null dereference bug.
- Between 3.11 and 3.12 whatnspr.c was removed.
nss/lib/util
nss/lib/util is used by libnss3.so, libsoftkn3.so and libfreebl.so. Besided the copy issue, util also creates an issue for libsoftkn3.so and libfreebl.so because the latter or FIPS modules, changes to nss/lib/util technically affect the FIPS validation. Since nss/lib/util does not participate in the management of CPS, it is usually possible to reinstate the validation with a review and letter from the lab.
ckfw/nssckbi dependencies
Besides the object code dependencies, there are some unexpected build dependencies for ckfw.
If you try the following:
# get ckfw cvs checkout -r NSS_3_11_BRANCH mozilla/security/coreconf mozilla/security/nss/lib/base mozilla/security/nss/lib/ckfw
# get nspr cvs checkout mozilla/nsprpub cvs checkout -r NSS_3_11_BRANCH mozilla/security/nss/Makefile mozilla/security/nss/manifest.mn
#build dependencies cd mozilla/security/nss make build_coreconf build_nspr
#build base cd lib/base make
#build ckfw cd ../ckfw make
You find the lib/base will fail because it needs header files supplied out of lib/util and lib/ckfw will fail because it needs header files supplied out of softoken (the pkcs11 headers).
Recommendation
For NSS 3.11.x We should support just replacing the ckfw directory. It's dependencies with the rest of NSS are pretty small, easily identified, and does not change very much.