NSS:ToolsToShip
Which tools should be shipped with NSS?
On operating systems that ship NSS as a system library, it's a good idea to ship the NSS tools as well. This page is meant to reach an agreement on which tools can be shipped and what requirements that would have.
Contents
- 1 Proposal: main tools vs. unsupported tools
- 2 Proposal for packaging
- 3 Group 1: Tools that are shipping already
- 4 Group 2: Candidates for addition that have documentation
- 5 Group 3: Requested or proposed unsupported tools
- 6 Group 4: Undocumented tools that should not get shipped
- 7 Group 5: Undocumented tools that currently aren't built, but may be candidates for support
Proposal: main tools vs. unsupported tools
Distinguish between:
- "main" tools that get installed in the global program search path (like /usr/bin on Linux) and should therefore be documented and part of NSS QA
- "unsupported" tools that do not have documentation, that are not necessarily part of the NSS QA, that will not get installed in the search path, but in a secondary location like /usr/lib/nss/unsupported-tools
The idea is
- make the unsupported tools available with the OS, so that developers do not have to compile them themselves
- ensure that by default the unsupported tools will not be available on the command line
- require that developers add the unsupported directory to their search path
Proposal for packaging
Ship the unsupported tools in the same package as the supported tools.
This ensures that everybody looking for tools will find the unsupported tools as well! Having a separate package for the unsupported tools would make it much more difficult to find them.
Group 1: Tools that are shipping already
The following tools have sufficient docs and are already being shipped by some vendors: Note the NSS tools documentation page is at: http://www.mozilla.org/projects/security/pki/nss/tools/
- certutil
- modutil
- pk12util
- signtool
- ssltap
Group 2: Candidates for addition that have documentation
These tools are listed on ttp://www.mozilla.org/projects/security/pki/nss/tools/ and except dbck we've been asked to ship them:
crlutil
Has docs. Proposal: ship as "main" tool
cmsutil
Has docs. Proposal: ship as "main" tool
signver
Proposal: clean up docs and ship as "main" tool
Docs need work!
- docs currently point to developer.netscape.com, no longer available!
- however, we have an archived version here:
- should we just copy the old documentation to a new page?
- are we allowed to?
dbck
No docs. Proposal: do NOT package this tool
This tool is also not development complete. It will also need to be adjusted to work on sqlite databases as well.
Group 3: Requested or proposed unsupported tools
We received requests to ship the following tools.
- derdump
- pp
- ocspclnt
- tstclnt
- selfserv
- vfyserv
- atob
- btoa
For the following tools we have not yet been asked to ship them, but they all seem to provide a functionality that might eventually be helpful while debugging or testing:
- shlibsign
- symkeyutil (This tool is currently incomplete, but would provided needed functionality if it were).
- vfychain
- strsclnt
Assumption: nobody volunteers to write documentation for them short term.
Proposal based on that assumption: ship them as unsupported tools
Group 4: Undocumented tools that should not get shipped
It seems unlikely that non-NSS developers might want to use the following tools in their current state:
- addbuiltin
- bltest
- certcgi
- checkcert
- client
- crmftest
- dbtest
- digest
- example
- fipstest
- makepgq
- mangle
- minigzip
- oidcalc
- p7content
- p7env
- p7sign
- p7verify
- pk11mode
- pk11util - this is a useful tool for PKCS #11 developers. It might be a candidate for a pkcs 11 devel package.
- rsaperf
- sdrtest
- server
Group 5: Undocumented tools that currently aren't built, but may be candidates for support
There are several tools that are currently not built as part of NSS. Some of these tools may have some utility.
- pwdecrypt - read a file with base64 SDR encrypted data and replace that data with decrypted data (useful in reading mozilla password files without a mozilla app).