NSS package consolidation


We currently have 3 source packages for NSS (nss-util, nss-softokn, and
nss), split from upstream release tarball. This splitting was
introduced for FIPS certification purposes in RHEL, where only
nss-softokn part is certified.

In Fedora, however, this doesn't apply (as we don't certify), and had
rather caused troubles, such as upgrade path issues, incomplete
buildroot overrides, etc.

Therefore we are considering merging those source packages back into a
single package[1]. The same set of binary packages will still be
produced and they should be compatible with the current ones.

The question is, is there any documented procedure to do this kind of
package merge safely? I guess at least the unnecessary packages
(nss-util and nss-softokn) would need to be retired.

Suggestions appreciated.

[1] <a href="" title=""></a>



Re: NSS package consolidation

By Tom Hughes at 11/08/2018 - 08:04

Just follow the normal procedures for replacing packages:

<a href="" title=""></a>

So have the new merged nss obsolete the old versions of
nss-util and nss-softokn and then retire them.


Re: NSS package consolidation

By =?ISO-8859-1?Q?... at 11/08/2018 - 10:00

Dne 08. 11. 18 v 13:04 Tom Hughes napsal(a):

I don't see any reason why the old versions should be explicitly
obsoleted, if the nss package is going to provide precisely the same
packages set. Just retiring should be fine IMO.


Re: NSS package consolidation

By Tom Hughes at 11/08/2018 - 10:05

On 08/11/2018 14:00, Vít Ondruch wrote:
Oh sorry I misread the message and thought the goal was to produce
one binary rpm.

If it's going to one source rpm producing the same three binary
rpms then you are indeed correct.


Re: NSS package consolidation

By Daiki Ueno at 11/12/2018 - 13:10

Tom Hughes < ... at compton dot nu> writes:

Thank you for the suggestions. Then I will go ahead and retire nss-util
and nss-softokn source packages once we are sure that the generated
binary packages are sane enough. I have created a copr repository for
<a href="" title=""></a>

firefox and java-openjdk maintainers: could you check if these builds
don't break anything?


Re: NSS package consolidation

By Bob Mauchin at 11/18/2018 - 21:53

On lundi 12 novembre 2018 18:10:47 CET Daiki Ueno wrote:

Could we also remove the old cruft?

- Group: is not needed.

- %{__rm} -rf $RPM_BUILD_ROOT is not needed in %install

- Using %{__rm}, %{__mkdir_p}, %{__install}, %{__cp}, %{__make} and so on is
pointless, just use the binaries directly.

- %ldconfig_scriptlets: You can drop this now (since F28).

- The man files should not be marked as %doc and %attr(0644,root,root) should
not be needed as it is the default:

%attr(0644,root,root) %doc %{_mandir}*

- The extension of the man pages .gz should be globbed instead as we may
change the compression in the future.

- Your Requires: in devel subpackages are missing %{?_isa}

Requires: nss%{?_isa} = %{version}-%{release}

Requires: nss-util%{?_isa} = %{version}-%{release}

- Consider using a URL for Source0:

Source0: <a href="" title=""></a>

with %global nss_tag NSS_3_40_RTM

instead of Source0: %{name}-%{nss_archive_version}.tar.gz

You may need to adjust %prep:

%setup -q -n nss-%{nss_tag}

and -p1 the patches instead of -p0/-p1
and remove the ./nss/ top directory from various commands in %build and
%install to match the archive structure.

See my SPEC at <a href="" title=""></a>

Build: <a href="" title=""></a>

Please consider these changes for your PR.

Best regards,


Re: NSS package consolidation

By Daiki Ueno at 11/19/2018 - 10:54

Robert-André Mauchin <zebob. ... at gmail dot com> writes:

Thank you! I have updated the PR based on the suggestions.

That really makes sense, though I'd like to use the URLs from the
upstream release announcements, that are in the form:{nss_tag}/src/%{name}-%{nss_archive_version}.tar.gz