The dracut project needs to copy the p11-kit-trust.so, plus all trust input to an initramfs for a mimimal environment, such as installers and for kernel boot. At least installers need web access, and the tool to download from the web might be configured to use p11-kit-trust.so Because dracut is a cross distribution tool, and because distributions may individually choose the directories they use for input to p11-kit-trust.so, it would be helpful to have a dynamic mechanism provided by p11-kit, that prints the directory names that will be dynamically accessed by p11-kit-trust.so For example, on Fedora, it could work like this, with the following output: $ trust print-config /etc/pki/ca-trust/source /usr/share/pki/ca-trust-source
Adam, please let us know if you have thoughts about the priority of this.
Well, it just depends on how likely it is that the bodge we put in dracut will break: for _dir in $libdirs; do [[ -e $_dir/libnssckbi.so ]] || continue # this looks for directory-ish strings in the file for _p11roots in $(grep -o --binary-files=text "/[[:alpha:]][[:print:]]*" $_dir/libnssckbi.so) ; do # the string can be a :-separated list of dirs for _p11root in $(echo "$_p11roots" | tr ':' '\n') ; do # check if it's actually a directory (there are # several false positives in the results) [[ -d "$_p11root" ]] || continue # check if it has some specific subdirs that all # p11-kit trust dirs have [[ -d "${_p11root}/anchors" ]] || continue [[ -d "${_p11root}/blacklist" ]] || continue # so now we know it's really a p11-kit trust dir; # install everything in it If anything changes to break that grep command or the expectation that all trust dirs will have /anchors and /blacklist subdirectories, we're in trouble. So long as those things hold true, it's not *urgent*.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.