From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 9196 invoked by alias); 14 Feb 2013 17:01:55 -0000 Received: (qmail 9174 invoked by uid 22791); 14 Feb 2013 17:01:53 -0000 X-SWARE-Spam-Status: No, hits=-7.0 required=5.0 tests=AWL,BAYES_00,KHOP_RCVD_UNTRUST,KHOP_SPAMHAUS_DROP,KHOP_THREADED,RCVD_IN_DNSWL_HI,RCVD_IN_HOSTKARMA_W,RP_MATCHES_RCVD,SPF_HELO_PASS X-Spam-Check-By: sourceware.org Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Thu, 14 Feb 2013 17:01:40 +0000 Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r1EH1dKX024235 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Thu, 14 Feb 2013 12:01:40 -0500 Received: from [10.3.113.168] (ovpn-113-168.phx2.redhat.com [10.3.113.168]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id r1EH1d3G012205 for ; Thu, 14 Feb 2013 12:01:39 -0500 Message-ID: <511D1873.9000807@redhat.com> Date: Thu, 14 Feb 2013 17:01:00 -0000 From: Josh Stone User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130110 Thunderbird/17.0.2 MIME-Version: 1.0 To: systemtap@sourceware.org Subject: Re: Possible systemtap/NSS areas of extension References: <1419415114.2640359.1360835210874.JavaMail.root@redhat.com> In-Reply-To: <1419415114.2640359.1360835210874.JavaMail.root@redhat.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-IsSubscribed: yes Mailing-List: contact systemtap-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: systemtap-owner@sourceware.org X-SW-Source: 2013-q1/txt/msg00137.txt.bz2 On 02/14/2013 01:46 AM, Nathan Scott wrote: > 4. system-wide NSS database > - There appears to be a move toward consolidation of system/host > certificate databases, at least for NSS-based databases. An > API has been added to facilitate transitioning to use of the > system-wide shared SQL NSS database - NSSInitWithMerge. It'd > be an option for systemtap, if transitioning to the new form > is considered a desirable feature at some point, to use this > to merge the existing systemtap database with the system-wide > database. Perhaps I misunderstand you, but we need to be really careful due to what is implied by the certificates we accept. We need not just "this host's claimed identity is confirmed" but also "I trust this host to feed me a module which I'll load in my kernel." A systemwide database for the likes of internet browsers is certainly not suitable for that kernel level of trust.