Merge branch 'f19' into f18

- cherry-pick merge from f19 skipping the man pages

cert8.db.xml

@@ -1,59 +0,0 @@
-<?xml version='1.0' encoding='utf-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
-<!ENTITY date SYSTEM "date.xml">
-<!ENTITY version SYSTEM "version.xml">
-]>
-
-<refentry id="cert8.db">
-
-  <refentryinfo>
-    <date>&date;</date>
-    <title>Network Security Services</title>
-    <productname>nss</productname>
-    <productnumber>&version;</productnumber>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>cert8.db</refentrytitle>
-    <manvolnum>5</manvolnum>
-  </refmeta>
-
-  <refnamediv>
-    <refname>cert8.db</refname>
-    <refpurpose>Legacy NSS certificate database</refpurpose>
-  </refnamediv>
-
-<refsection id="description">
-    <title>Description</title>
-    <para><emphasis>cert8.db</emphasis> is an NSS certificate database.</para>
-  <para>This certificate database is in the legacy database format. Consider migrating to cert9.db and key4.db which are the new sqlite-based shared database format with support for concurrent access.
-  </para>
-  </refsection>
-
-  <refsection>
-    <title>Files</title>
-    <para><filename>/etc/pki/nssdb/cert8.db</filename></para>
-  </refsection>
-
-  <refsection>
-    <title>See also</title>
-    <para>cert9.db(5), key4.db(5), pkcs11.txt(5), </para>
-  </refsection>
-
-  <refsection id="authors">
-    <title>Authors</title>
-    <para>The nss libraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
-    <para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
-  </refsection>
-
-<!-- don't change -->
-  <refsection id="license">
-    <title>LICENSE</title>
-    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
-    </para>
-
-  </refsection>
-
-
-</refentry>

cert9.db.xml

@@ -1,59 +0,0 @@
-<?xml version='1.0' encoding='utf-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
-<!ENTITY date SYSTEM "date.xml">
-<!ENTITY version SYSTEM "version.xml">
-]>
-
-<refentry id="cert9.db">
-
-  <refentryinfo>
-    <date>&date;</date>
-    <title>Network Security Services</title>
-    <productname>nss</productname>
-    <productnumber>&version;</productnumber>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>cert9.db</refentrytitle>
-    <manvolnum>5</manvolnum>
-  </refmeta>
-
-  <refnamediv>
-    <refname>cert9.db</refname>
-    <refpurpose>NSS certificate database</refpurpose>
-  </refnamediv>
-
-<refsection id="description">
-    <title>Description</title>
-    <para><emphasis>cert9.db</emphasis> is an NSS certificate database.</para>
-  <para>This certificate database is the sqlite-based shared database with support for concurrent access.
-  </para>
-  </refsection>
-
-  <refsection>
-    <title>Files</title>
-    <para><filename>/etc/pki/nssdb/cert9.db</filename></para>
-  </refsection>
-
-  <refsection>
-    <title>See also</title>
-    <para>pkcs11.txt(5)</para>
-  </refsection>
-
-  <refsection id="authors">
-    <title>Authors</title>
-    <para>The nss libraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
-    <para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
-  </refsection>
-
-<!-- don't change -->
-  <refsection id="license">
-    <title>LICENSE</title>
-    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
-    </para>
-
-  </refsection>
-
-
-</refentry>

certutil_keyOpFlagsFix.patch

@@ -1,24 +0,0 @@
-diff --git a/doc/certutil.xml b/doc/certutil.xml
---- a/doc/certutil.xml
-+++ b/doc/certutil.xml
-@@ -655,18 +655,18 @@ of the attribute codes:
- 
-       <varlistentry>
-         <term>--keyAttrFlags attrflags</term>
-         <listitem><para>
- PKCS #11 key Attributes. Comma separated list of key attribute flags, selected from the following list of choices: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}</para></listitem>
-       </varlistentry>
- 
-       <varlistentry>
--        <term>--keyFlagsOn opflags</term>
--        <term>--keyFlagsOff opflags</term>
-+        <term>--keyOpFlagsOn opflags</term>
-+        <term>--keyOpFlagsOff opflags</term>
-         <listitem><para>
- PKCS #11 key Operation Flags.
- Comma separated list of one or more of the following:
- {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}
-           </para></listitem>
-       </varlistentry>
- 
-       <varlistentry>

document-certutil-email-option.patch

@@ -1,25 +0,0 @@
-diff --git a/doc/certutil.xml b/doc/certutil.xml
---- a/doc/certutil.xml
-+++ b/doc/certutil.xml
-@@ -204,16 +204,21 @@ If this option is not used, the validity
-       </varlistentry>
- 
-       <varlistentry>
-         <term>-e </term>
-         <listitem><para>Check a certificate's signature during the process of validating a certificate.</para></listitem>
-       </varlistentry>
- 
-       <varlistentry>
-+        <term>--email email-address</term>
-+        <listitem><para>Specify the email address, used with the -L command option to print a single named certificate.</para></listitem>
-+      </varlistentry>
-+
-+      <varlistentry>
-         <term>-f password-file</term>
-         <listitem><para>Specify a file that will automatically supply the password to include in a certificate 
-  or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent 
-  unauthorized access to this file.</para></listitem>
-       </varlistentry>
- 
-       <varlistentry>
-         <term>-g keysize</term>

key3.db.xml

@@ -1,59 +0,0 @@
-<?xml version='1.0' encoding='utf-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
-<!ENTITY date SYSTEM "date.xml">
-<!ENTITY version SYSTEM "version.xml">
-]>
-
-<refentry id="key3.db">
-
-  <refentryinfo>
-    <date>&date;</date>
-    <title>Network Security Services</title>
-    <productname>nss</productname>
-    <productnumber>&version;</productnumber>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>key3.db</refentrytitle>
-    <manvolnum>5</manvolnum>
-  </refmeta>
-
-  <refnamediv>
-    <refname>key3.db</refname>
-    <refpurpose>Legacy NSS certificate database</refpurpose>
-  </refnamediv>
-
-<refsection id="description">
-    <title>Description</title>
-    <para><emphasis>key3.db</emphasis> is an NSS certificate database.</para>
-  <para>This is a key database in the legacy database format. Consider migrating to cert9.db and key4.db which  which are the new sqlite-based shared database format with support for concurrent access.
-  </para>
-  </refsection>
-
-  <refsection>
-    <title>Files</title>
-    <para><filename>/etc/pki/nssdb/key3.db</filename></para>
-  </refsection>
-
-  <refsection>
-    <title>See also</title>
-    <para>cert9.db(5), key4.db(5), pkcs11.txt(5), </para>
-  </refsection>
-
-  <refsection id="authors">
-    <title>Authors</title>
-    <para>The nss libraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
-    <para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
-  </refsection>
-
-<!-- don't change -->
-  <refsection id="license">
-    <title>LICENSE</title>
-    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
-    </para>
-
-  </refsection>
-
-
-</refentry>

key4.db.xml

@@ -1,59 +0,0 @@
-<?xml version='1.0' encoding='utf-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
-<!ENTITY date SYSTEM "date.xml">
-<!ENTITY version SYSTEM "version.xml">
-]>
-
-<refentry id="key4.db">
-
-  <refentryinfo>
-    <date>&date;</date>
-    <title>Network Security Services</title>
-    <productname>nss</productname>
-    <productnumber>&version;</productnumber>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>key4.db</refentrytitle>
-    <manvolnum>5</manvolnum>
-  </refmeta>
-
-  <refnamediv>
-    <refname>key4.db</refname>
-    <refpurpose>NSS certificate database</refpurpose>
-  </refnamediv>
-
-<refsection id="description">
-    <title>Description</title>
-    <para><emphasis>key4.db</emphasis> is an NSS key database.</para>
-  <para>This key database is the sqlite-based shared database format with support for concurrent access.
-  </para>
-  </refsection>
-
-  <refsection>
-    <title>Files</title>
-    <para><filename>/etc/pki/nssdb/key4.db</filename></para>
-  </refsection>
-
-  <refsection>
-    <title>See also</title>
-    <para>pkcs11.txt(5)</para>
-  </refsection>
-
-  <refsection id="authors">
-    <title>Authors</title>
-    <para>The nss libraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
-    <para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
-  </refsection>
-
-<!-- don't change -->
-  <refsection id="license">
-    <title>LICENSE</title>
-    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
-    </para>
-
-  </refsection>
-
-
-</refentry>

manpages-fixes.patch

@@ -1,209 +0,0 @@
-diff --git a/doc/certutil.xml b/doc/certutil.xml
---- a/doc/certutil.xml
-+++ b/doc/certutil.xml
-@@ -634,16 +634,37 @@ of the attribute codes:
-       </varlistentry>
- 
-       <varlistentry>
-         <term>--extSKID</term>
-         <listitem><para>Add the Subject Key ID extension to the certificate. X.509 certificate extensions are described in RFC 5280.</para></listitem>
-       </varlistentry>
- 
-       <varlistentry>
-+        <term>--extNC</term>
-+        <listitem><para>Add a Name Constraint extension to the certificate. X.509 certificate extensions are described in RFC 5280.</para></listitem>
-+      </varlistentry>
-+
-+      <varlistentry>
-+        <term>--keyAttrFlags attrflags</term>
-+        <listitem><para>
-+PKCS #11 key Attributes. Comma separated list of key attribute flags, selected from the following list of choices: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}</para></listitem>
-+      </varlistentry>
-+
-+      <varlistentry>
-+        <term>--keyFlagsOn opflags</term>
-+        <term>--keyFlagsOff opflags</term>
-+        <listitem><para>
-+PKCS #11 key Operation Flags.
-+Comma separated list of one or more of the following:
-+{token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}
-+          </para></listitem>
-+      </varlistentry>
-+
-+      <varlistentry>
-         <term>--source-dir certdir</term>
-         <listitem><para>Identify the certificate database directory to upgrade.</para></listitem>
-       </varlistentry>
- 
-       <varlistentry>
-         <term>--source-prefix certdir</term>
-         <listitem><para>Give the prefix of the certificate and key databases to upgrade.</para></listitem>
-       </varlistentry>
-@@ -795,17 +816,17 @@ JyBVgFqDXRYSyTBNw1DrxUU/3GvWA/ngjAwHEv0C
- XRzPORlC2WY3gkk7vmlsLvYpyecNazAi/NAwVnU/66HOsaoVFWE+gBQo99UrN2yk
- 0BiK/GMFlLm5dXQROgA9ZKKyFdI0LIXtf6SbAgMBAAGjMzAxMBEGCWCGSAGG+EIB
- AQQEAwIHADAMBgNVHRMEBTADAQH/MA4GA1UdDwEB/wQEAwICBDANBgkqhkiG9w0B
- AQUFAAOBgQA6chkzkACN281d1jKMrc+RHG2UMaQyxiteaLVZO+Ro1nnRUvseDf09
- XKYFwPMJjWCihVku6bw/ihZfuMHhxK22Nue6inNQ6eDu7WmrqL8z3iUrQwxs+WiF
- ob2rb8XRVVJkzXdXxlk4uo3UtNvw8sAz7sWD71qxKaIHU5q49zijfg==
- -----END CERTIFICATE-----
- </programlisting>
--<pa>For a humam-readable display</para>
-+<para>For a human-readable display</para>
- <programlisting>$ certutil -L -d sql:$HOME/nssdb -n my-ca-cert
- Certificate:
-     Data:
-         Version: 3 (0x2)
-         Serial Number: 3650 (0xe42)
-         Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
-         Issuer: "CN=Example CA"
-         Validity:
-diff --git a/doc/cmsutil.xml b/doc/cmsutil.xml
---- a/doc/cmsutil.xml
-+++ b/doc/cmsutil.xml
-@@ -84,19 +84,26 @@ The options and arguments for the cmsuti
-       <varlistentry>
-         <term>-S </term>
-         <listitem><para>Sign a message.</para></listitem>
-       </varlistentry>
- 
-     </variablelist>
- 
- 	<para><command>Arguments</command></para>
--	<para>Option arguments modify an action and are lowercase.</para>
-+	<para>Option arguments modify an action.</para>
- 	<variablelist>
-       <varlistentry>
-+        <term>-b </term>
-+        <listitem>
-+          <para>Decode a batch of files named in infile.</para>
-+        </listitem>
-+      </varlistentry>
-+
-+      <varlistentry>
-         <term>-c content </term>
-         <listitem>
-           <para>Use this detached content (decode only).</para>
-         </listitem>
-       </varlistentry>
- 
-       <varlistentry>
-         <term>-d dbdir</term>
-@@ -108,37 +115,58 @@ The options and arguments for the cmsuti
-       <varlistentry>
-         <term>-e envfile</term>
-         <listitem>
-           <para>Specify a file containing an enveloped message for a set of recipients to which you would like to send an encrypted message. If this is the first encrypted message for that set of recipients, a new enveloped message will be created that you can then use for future messages (encrypt only).</para>
-         </listitem>
-       </varlistentry>
- 
-       <varlistentry>
-+        <term>-f pwfile</term>
-+        <listitem>
-+          <para>Use password file to set password on all PKCS#11 tokens.</para>
-+        </listitem>
-+      </varlistentry>
-+
-+      <varlistentry>
-         <term>-G</term>
-         <listitem>
-           <para>Include a signing time attribute (sign only).</para>
-         </listitem>
-       </varlistentry>
--	
-+
-+      <varlistentry>
-+        <term>-H hash</term>
-+        <listitem>
-+          <para>Use specified hash algorithm (default:SHA1).</para>
-+        </listitem>
-+      </varlistentry>
-+
-       <varlistentry>
-         <term>-h num</term>
-         <listitem>
-           <para>Generate email headers with info about CMS message (decode only).</para>
-         </listitem>
-       </varlistentry>
- 
-       <varlistentry>
-         <term>-i infile</term>
-         <listitem>
-           <para>Use infile as a source of data (default is stdin).</para>
-         </listitem>
-       </varlistentry>
- 
-       <varlistentry>
-+        <term>-k</term>
-+        <listitem>
-+          <para>Keep decoded encryption certs in permanent cert db.</para>
-+        </listitem>
-+      </varlistentry>
-+
-+      <varlistentry>
-         <term>-N nickname</term>
-         <listitem>
-           <para>Specify nickname of certificate to sign with (sign only).</para>
-         </listitem>
-       </varlistentry>
- 
-       <varlistentry>
-         <term>-n </term>
-@@ -188,16 +216,23 @@ For certificates-only message, list of c
-       <varlistentry>
-         <term>-u certusage</term>
-         <listitem>
-           <para>Set type of cert usage (default is certUsageEmailSigner).</para>
-         </listitem>
-       </varlistentry>
- 
-       <varlistentry>
-+        <term>-v</term>
-+        <listitem>
-+          <para>Print debugging information.</para>
-+        </listitem>
-+      </varlistentry>
-+
-+      <varlistentry>
-         <term>-Y ekprefnick</term>
-         <listitem>
-           <para>Specify an encryption key preference by nickname.</para>
-         </listitem>
-       </varlistentry>
- 
-     </variablelist>
- 
-diff --git a/doc/crlutil.xml b/doc/crlutil.xml
---- a/doc/crlutil.xml
-+++ b/doc/crlutil.xml
-@@ -261,16 +261,30 @@ Specify type of CRL. possible types are:
-         <term>-u url </term>
-         <listitem>
-           <para>
- Specify the url.
-           </para>
-         </listitem>
-       </varlistentry>
- 
-+      <varlistentry>
-+        <term>-w pwd-string</term>
-+        <listitem>
-+          <para>Provide db password in command line.</para>
-+        </listitem>
-+      </varlistentry>
-+
-+      <varlistentry>
-+        <term>-Z algorithm</term>
-+        <listitem>
-+          <para>Specify the hash algorithm to use for signing the CRL.</para>
-+        </listitem>
-+      </varlistentry>
-+
-     </variablelist>
-   </refsection>
- 
-   <refsection id="syntax">
-     <title>CRL Generation script syntax</title>
-     <para>CRL generation script file has the following syntax:</para>
-     <para>
-     * Line with comments should have # as a first symbol of a line</para>

nss.spec

@@ -64,12 +64,6 @@ Source18:         TestUser50.cert
 Source19:         TestUser51.cert
 Source20:         nss-config.xml
 Source21:         setup-nsssysinit.xml
-Source22:         pkcs11.txt.xml
-Source23:         cert8.db.xml
-Source24:         cert9.db.xml
-Source25:         key3.db.xml
-Source26:         key4.db.xml
-Source27:         secmod.db.xml
 
 Patch2:           add-relro-linker-option.patch
 Patch3:           renegotiate-transitional.patch
@@ -79,6 +73,8 @@ Patch18:          nss-646045.patch
 # must statically link pem against the freebl in the buildroot
 # Needed only when freebl on tree has new APIS
 Patch25:          nsspem-use-system-freebl.patch
+# This patch is currently meant for stable branches
+Patch29:          nss-ssl-cbc-random-iv-off-by-default.patch
 # TODO: Remove this patch when the ocsp test are fixed
 Patch40:          nss-3.14.0.0-disble-ocsp-test.patch
 Patch44:          0001-sync-up-with-upstream-softokn-changes.patch
@@ -91,12 +87,8 @@ Patch47:          utilwrap-include-templates.patch
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=902171
 Patch48:          nss-versus-softoken-tests.patch
 # TODO remove when we switch to building nss without softoken
-Patch49:          nss-skip-bltest-and-fipstest.patch
-Patch50:          iquote.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=932001
-Patch54:          document-certutil-email-option.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=937677
-Patch57:          certutil_keyOpFlagsFix.patch
+Patch49:  nss-skip-bltest-and-fipstest.patch
+Patch50:  iquote.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -180,6 +172,8 @@ low level services.
 %patch18 -p0 -b .646045
 # link pem against buildroot's freebl, essential when mixing and matching
 %patch25 -p0 -b .systemfreebl
+# activate for stable branches
+%patch29 -p0 -b .cbcrandomivoff
 %patch40 -p0 -b .noocsptest
 %patch44 -p1 -b .syncupwithupstream
 %patch45 -p0 -b .notrash
@@ -188,10 +182,6 @@ low level services.
 %patch48 -p0 -b .crypto
 %patch49 -p0 -b .skipthem
 %patch50 -p0 -b .iquote
-pushd nss
-%patch54 -p1 -b .948495
-%patch57 -p1 -b .948495
-popd
 
 #########################################################
 # Higher-level libraries and test tools need access to
@@ -350,22 +340,13 @@ date +"%e %B %Y" | tr -d '\n' > date.xml
 echo -n %{version} > version.xml
 
 # configuration files and setup script
-for m in %{SOURCE20} %{SOURCE21} %{SOURCE22}; do
+for m in %{SOURCE20} %{SOURCE21}; do
   cp ${m} .
 done
-for m in nss-config.xml setup-nsssysinit.xml pkcs11.txt.xml; do
+for m in nss-config.xml setup-nsssysinit.xml; do
   xmlto man ${m}
 done
 
-# nss databases considered to be configuration files
-for m in %{SOURCE23} %{SOURCE24} %{SOURCE25} %{SOURCE26} %{SOURCE27}; do
-  cp ${m} .
-done
-for m in cert8.db.xml cert9.db.xml key3.db.xml key4.db.xml secmod.db.xml; do
-  xmlto man ${m}
-done
- 
-
 %check
 if [ $DISABLETEST -eq 1 ]; then
   echo "testing disabled"
@@ -471,13 +452,9 @@ echo "test suite completed"
 %{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
 
 mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1
-mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5
-
-touch $RPM_BUILD_ROOT%{_libdir}/libnssckbi.so
-%{__install} -p -m 755 dist/*.OBJ/lib/libnssckbi.so $RPM_BUILD_ROOT/%{_libdir}/nss/libnssckbi.so
 
 # Copy the binary libraries we want
-for file in libnss3.so libnsspem.so libnsssysinit.so libsmime3.so libssl3.so
+for file in libnss3.so libnssckbi.so libnsspem.so libnsssysinit.so libsmime3.so libssl3.so
 do
   %{__install} -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
 done
@@ -528,10 +505,6 @@ done
 %{__install} -p -m 755 ./dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config
 # Copy the pkcs #11 configuration script
 %{__install} -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh
-# install a symbolic link to it, without the ".sh" suffix,
-# that matches the man page documentation
-ln -r -s -f $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit
-
 # Copy the man pages for scripts
 for f in nss-config setup-nsssysinit; do 
    install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
@@ -540,14 +513,6 @@ done
 for f in "%{allTools}"; do 
    install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
 done
-# Copy the man pages for the configuration files
-for f in pkcs11.txt; do 
-   install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
-done
-# Copy the man pages for the nss databases
-for f in cert8.db cert9.db key3.db key4.db secmod.db; do 
-   install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
-done
 
 %clean
 %{__rm} -rf $RPM_BUILD_ROOT
@@ -557,53 +522,9 @@ done
 # from previous versions of nss.spec
 /usr/bin/setup-nsssysinit.sh on
 
-%post
-# If we upgrade, and the shared filename is a regular file, then we must
-# remove it, before we can install the alternatives symbolic link.
-if [ $1 -gt 1 ] ; then
-  # when upgrading or downgrading
-  if ! test -L %{_libdir}/libnssckbi.so; then
-    rm -f %{_libdir}/libnssckbi.so
-  fi
-fi
-# Install the symbolic link
-# FYI: Certain other packages use alternatives --set to enforce that the first
-# installed package is preferred. We don't do that. Highest priority wins.
-%{_sbindir}/update-alternatives --install %{_libdir}/libnssckbi.so \
-  %{alt_ckbi} %{_libdir}/nss/libnssckbi.so 10
-/sbin/ldconfig
+%post -p /sbin/ldconfig
 
-%postun
-if [ $1 -eq 0 ] ; then
-  # package removal
-  %{_sbindir}/update-alternatives --remove %{alt_ckbi} %{_libdir}/nss/libnssckbi.so
-else
-  # upgrade or downgrade
-  # If the new installed package uses a regular file (not a symblic link),
-  # then cleanup the alternatives link.
-  if ! test -L %{_libdir}/libnssckbi.so; then
-    %{_sbindir}/update-alternatives --remove %{alt_ckbi} %{_libdir}/nss/libnssckbi.so
-  fi
-fi
-/sbin/ldconfig
-
-%posttrans
-# An earlier version of this package had an incorrect %%postun script (3.14.3-9).
-# (The incorrect %%postun always called "update-alternatives --remove",
-# because it incorrectly assumed that test -f returns false for symbolic links.)
-# The only possible remedy to fix the mistake that "always removes on upgrade"
-# made by the older %%postun script, is to repair it in %%posttrans of the new package.
-# Strategy:
-# %%posttrans is never called when uninstalling.
-# %%posttrans is only called when installing or upgrading a package.
-# Because %%posttrans is the very last action of a package install,
-# %%{_libdir}/libnssckbi.so must exist.
-# If it does not, it's the result of the incorrect removal from a broken %%postun.
-# In this case, we repeat installation of the alternatives link.
-if ! test -e %{_libdir}/libnssckbi.so; then
-  %{_sbindir}/update-alternatives --install %{_libdir}/libnssckbi.so \
-    %{alt_ckbi} %{_libdir}/nss/libnssckbi.so 10
-fi
+%postun -p /sbin/ldconfig
 
 
 %files
@@ -611,17 +532,12 @@ fi
 %{_libdir}/libnss3.so
 %{_libdir}/libssl3.so
 %{_libdir}/libsmime3.so
-%ghost %{_libdir}/libnssckbi.so
-%{_libdir}/nss/libnssckbi.so
+%{_libdir}/libnssckbi.so
 %{_libdir}/libnsspem.so
 %dir %{_sysconfdir}/pki/nssdb
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/secmod.db
-%attr(0644,root,root) %doc /usr/share/man/man5/*
-%attr(0644,root,root) %doc /usr/share/man/man5/cert8.db.5.gz
-%attr(0644,root,root) %doc /usr/share/man/man5/key3.db.5.gz
-%attr(0644,root,root) %doc /usr/share/man/man5/secmod.db.5.gz
 
 %files sysinit
 %defattr(-,root,root)
@@ -629,12 +545,7 @@ fi
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt
-%attr(0644,root,root) %doc /usr/share/man/man5/cert9.db.5.gz
-%attr(0644,root,root) %doc /usr/share/man/man5/key4.db.5.gz
-%attr(0644,root,root) %doc /usr/share/man/man5/pkcs11.txt.5.gz
 %{_bindir}/setup-nsssysinit.sh
-# symbolic link to setup-nsssysinit.sh
-%{_bindir}/setup-nsssysinit
 %attr(0644,root,root) %doc /usr/share/man/man1/setup-nsssysinit.1.gz
 
 %files tools
@@ -749,101 +660,38 @@ fi
 
 
 %changelog
-* Wed Dec 11 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.3.1-1
+* Wed Dec 18 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.3.1-1
 - Update to nss-3.15.3.1 (hg tag NSS_3_15_3_1_RTM)
 - Resolves: Bug 1040282 - nss: Mis-issued ANSSI/DCSSI certificate (MFSA 2013-117)
 - Resolves: Bug 1040192 - nss-3.15.3.1 is available
 
-* Tue Dec 03 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.3-2
-- Bump the release tag
-
-* Sun Nov 24 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.3-1
+* Mon Dec 09 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.3-1
 - Update to NSS_3_15_3_RTM
 - Resolves: Bug 1031897 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 nss: various flaws
 - Fix option descriptions for setup-nsssysinit manpage
-- Fix man page of nss-sysinit wrong path and other flaws
-- Document email option for certutil manpage
 - Remove unused patches
 
-* Sun Oct 27 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-3
-- Revert one change from last commit to preserve full nss pluggable ecc supprt [1019245]
-
-* Wed Oct 23 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-2
-- Use the full sources from upstream
+* Sun Oct 27 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-2
+- Use the full pristine sources from upstream
 - Bug 1019245 - ECDHE in openssl available -> NSS needs too for Firefox/Thunderbird
 
 * Thu Sep 26 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-1
 - Update to NSS_3_15_2_RTM
 - Update iquote.patch on account of modified prototype on cert.h installed by nss-devel
+- Keep the nss-ssl-cbc-random-iv-off-by-default.patch enabled
 
-* Wed Aug 28 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.1-7
-- Update pem sources to pick up a patch applied upstream which a faulty merge had missed
-- The pem module should not require unique file basenames
-
-* Tue Aug 27 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.1-6
-- Update pem sources to the latest from interim upstream
-
-* Mon Aug 19 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.1-5
-- Resolves: rhbz#996639 - Minor bugs in nss man pages
-- Fix some typos and improve description and see also sections
-
-* Sun Aug 11 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.1-4
-- Cleanup spec file to address most rpmlint errors and warnings
-- Using double percent symbols to fix macro-in-comment warnings
-- Ignore unversioned-explicit-provides nss-system-init per spec comments
-- Ignore invalid-url Source0 as it comes from the git lookaside cache
-- Ignore invalid-url Source12 as it comes from the git lookaside cache
-
-* Thu Jul 25 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.1-3
-- Add man page for pkcs11.txt configuration file and cert and key databases
-- Resolves: rhbz#985114 - Provide man pages for the nss configuration files
-
-* Fri Jul 19 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.1-2
-- Fix errors in the man pages
-- Resolves: rhbz#984106 - Add missing option descriptions to man pages for {cert|cms|crl}util
-- Resolves: rhbz#982856 - Fix path to script in man page for nss-sysinit
-
-* Tue Jul 02 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.1-1
+* Sun Jul 21 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.1-1
 - Update to NSS_3_15_1_RTM
-- Enable the iquote.patch to access newly introduced types
-
-* Wed Jun 19 2013 Elio Maldonado <emaldona@redhat.com> - 3.15-5
-- Install man pages for nss-tools and the nss-config and setup-nsssysinit scripts
+- Enable iquote.patch to access newly introduced types
+- Install man pages for nss-config and setup-nsssysinit
 - Resolves: rhbz#606020 - nss security tools lack man pages
+- Resolves: rhbz#689918 -build nss without softoken or util sources in the tree
+- Fix NSS_VMAJOR, NSS_VMINOR, and NSS_VPATCH generation for nss-config
 
-* Tue Jun 18 2013 emaldona <emaldona@redhat.com> - 3.15-4
-- Build nss without softoken or util sources in the tree
-- Resolves: rhbz#689918
-
-* Mon Jun 17 2013 emaldona <emaldona@redhat.com> - 3.15-3
-- Update ssl-cbc-random-iv-by-default.patch
-
-* Sun Jun 16 2013 Elio Maldonado <emaldona@redhat.com> - 3.15-2
-- Fix generation of NSS_VMAJOR, NSS_VMINOR, and NSS_VPATCH for nss-config
-
-* Sat Jun 15 2013 Elio Maldonado <emaldona@redhat.com> - 3.15-1
-- Update to NSS_3_15_RTM
-
-* Wed Apr 24 2013 Elio Maldonado <emaldona@redhat.com> - 3.15-0.1.beta1.2
-- Fix incorrect path that hid failed test from view
-- Add ocsp to the test suites to run but ...
-- Temporarily disable the ocsp stapling tests
-- Do not treat failed attempts at ssl pkcs11 bypass as fatal errors
-
-* Thu Apr 04 2013 Elio Maldonado <emaldona@redhat.com> - 3.15-0.1.beta1.1
-- Update to NSS_3_15_BETA1
-- Update spec file, patches, and helper scripts on account of a shallower source tree
-
-* Sun Mar 24 2013 Kai Engert <kaie@redhat.com> - 3.14.3-12
+* Mon Apr 22 2013 Kai Engert <kaie@redhat.com> - 3.14.3-2
+- Add upstream patch to fix rhbz#872761
 - Update expired test certificates (fixed in upstream bug 852781)
 
-* Fri Mar 08 2013 Kai Engert <kaie@redhat.com> - 3.14.3-10
-- Fix incorrect post/postun scripts. Fix broken links in posttrans.
-
-* Wed Mar 06 2013 Kai Engert <kaie@redhat.com> - 3.14.3-9
-- Configure libnssckbi.so to use the alternatives system
-  in order to prepare for a drop in replacement.
-
 * Fri Feb 15 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-1
 - Update to NSS_3_14_3_RTM
 - sync up pem rsawrapr.c with softoken upstream changes for nss-3.14.3

pkcs11.txt.xml

@@ -1,56 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
-<!ENTITY date SYSTEM "date.xml">
-<!ENTITY version SYSTEM "version.xml">
-]>
-
-<refentry id="pkcs11.txt">
-
-  <refentryinfo>
-    <date>&date;</date>
-    <title>Network Security Services</title>
-    <productname>nss</productname>
-    <productnumber>&version;</productnumber>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>pkcs11.txt</refentrytitle>
-    <manvolnum>5</manvolnum>
-  </refmeta>
-
-  <refnamediv>
-    <refname>pkcs11.txt</refname>
-    <refpurpose>NSS PKCS #11 module configuration file</refpurpose>
-  </refnamediv>
-
-  <refsection id="description">
-    <title>Description</title>
-    <para>
-The pkcs11.txt file is used to configure initialization parameters for the nss security module and optionally other pkcs #11 modules.
-    </para>
-    <para>
-For full documentation visit <ulink url="https://developer.mozilla.org/en-US/docs/PKCS11_Module_Specs">PKCS #11 Module Specs</ulink>.
-    </para>
-  </refsection>
-
-  <refsection>
-    <title>Files</title>
-    <para><filename>/etc/pki/nssdb/pkcs11.txt</filename></para>
-  </refsection>
-
-  <refsection id="authors">
-    <title>Authors</title>
-    <para>The nss libraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
-    <para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
-  </refsection>
-
-<!-- don't change -->
-  <refsection id="license">
-    <title>LICENSE</title>
-    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
-    </para>
-  </refsection>
-
-</refentry>
-

secmod.db.xml

@@ -1,63 +0,0 @@
-<?xml version='1.0' encoding='utf-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
-<!ENTITY date SYSTEM "date.xml">
-<!ENTITY version SYSTEM "version.xml">
-]>
-
-<refentry id="secmod.db">
-
-  <refentryinfo>
-    <date>&date;</date>
-    <title>Network Security Services</title>
-    <productname>nss</productname>
-    <productnumber>&version;</productnumber>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>secmod.db</refentrytitle>
-    <manvolnum>5</manvolnum>
-  </refmeta>
-
-  <refnamediv>
-    <refname>secmod.db</refname>
-    <refpurpose>Legacy NSS security modules database</refpurpose>
-  </refnamediv>
-
-<refsection id="description">
-    <title>Description</title>
-    <para><emphasis>secmod.db</emphasis> is an NSS security modules database.</para>
-  <para>The security modules database is used to keep track of the NSS security modules. The NSS security modules export their services via the PKCS #11 API which NSS uses as its Services Provider Interface.
-  </para>
-  <para>The command line utility <emphasis>modutil</emphasis> is used for managing PKCS #11 module information both within secmod.db files and within hardware tokens.
-  </para>
-  <para>For new applications the recommended way of tracking security modules is via the pkcs11.txt configuration file used in conjunction the new sqlite-based shared database format for certificate and key databases.
-  </para>
-  </refsection>
-
-  <refsection>
-    <title>Files</title>
-    <para><filename>/etc/pki/nssdb/secmod.db</filename></para>
-  </refsection>
-
-  <refsection>
-    <title>See also</title>
-    <para>modutil(1), cert8.db(5), cert9.db(5), key3.db(5), key4.db(5), pkcs11.txt(5)</para>
-  </refsection>
-
-  <refsection id="authors">
-    <title>Authors</title>
-    <para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
-    <para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
-  </refsection>
-
-<!-- don't change -->
-  <refsection id="license">
-    <title>LICENSE</title>
-    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
-    </para>
-
-  </refsection>
-
-
-</refentry>