Re: Possible systemtap/NSS areas of extension

public inbox for systemtap@sourceware.org
 help / color / mirror / Atom feed

From: Josh Stone <jistone@redhat.com>
To: systemtap@sourceware.org
Subject: Re: Possible systemtap/NSS areas of extension
Date: Thu, 14 Feb 2013 17:01:00 -0000	[thread overview]
Message-ID: <511D1873.9000807@redhat.com> (raw)
In-Reply-To: <1419415114.2640359.1360835210874.JavaMail.root@redhat.com>

On 02/14/2013 01:46 AM, Nathan Scott wrote:
> 4. system-wide NSS database
> - There appears to be a move toward consolidation of system/host
>   certificate databases, at least for NSS-based databases.  An
>   API has been added to facilitate transitioning to use of the
>   system-wide shared SQL NSS database - NSSInitWithMerge.  It'd
>   be an option for systemtap, if transitioning to the new form
>   is considered a desirable feature at some point, to use this
>   to merge the existing systemtap database with the system-wide
>   database.

Perhaps I misunderstand you, but we need to be really careful due to
what is implied by the certificates we accept.  We need not just "this
host's claimed identity is confirmed" but also "I trust this host to
feed me a module which I'll load in my kernel."  A systemwide database
for the likes of internet browsers is certainly not suitable for that
kernel level of trust.

next prev parent reply	other threads:[~2013-02-14 17:01 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <1394151552.2635240.1360833812143.JavaMail.root@redhat.com>
2013-02-14  9:47 ` Nathan Scott
2013-02-14 17:01   ` Josh Stone [this message]
2013-02-15  4:56     ` Nathan Scott

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=511D1873.9000807@redhat.com \
    --to=jistone@redhat.com \
    --cc=systemtap@sourceware.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).