Hacking NSS

Using NSS from Pluto

use lsw_nss_error*() to report errors

It includes both the error symbol name and the error message (the former is really useful when reading the code^D^D^D^D documentation when tracking down why the error was returned).

Debugging NSS

Linking libreswan against a custom NSS build

Building and Installing a Custom NSS RPMs

Below are notes on building the latest Fedora RPM on the build machine.

Build Custom NSS RPM ...

... using fedpkg local and a KVM

Here, we use the build machine (it has lots of memory and network access) and the 9p mounted directory /pool (aka $(KVM_POOLDIR), but /testing and /root should also work). Just remember that any changes to build aren't permanent, we'll get to that later.

First lets set things up:

$ ./kvm sh build
build# cd /pool
build# dnf install -y fedpkg
build# cat /etc/fedora-release
Fedora release 32 (Thirty Two)
build# fedpkg clone --branch f32 --anonymous nss
build# cd nss
build# dnf builddep nss

Next is to hack xmlto so that it doesn't try to preserve permissions when copying files within the 9p file system (remember, ./kvm uninstall install will wipe this):

build# sed -i -e 's/ -p / /' \
   /usr/share/xmlto/format/docbook/man \
   /usr/share/xmlto/format/docbook/html

optionally, hobble tests during the build:

build# sed -i -e 's/bcond_without tests/bcond_with tests/' nss.spec

finally build (something better?):

build# fedpkg local --without tests:

or:

build# fedpkg prep --without tests
build# fedpkg compile --short-circuit --without tests

... using fedpkg mock and the Fedora host

Hmm, something goes here!

fedpkg mock-config
fedpkg mockbuild

Making the Custom NSS RPs Stick

Distribute Custom NSS RPMs

For legal reasons, tar up both the .rpm and .srpm files into a single archive and make that available - it forces whoever is using the RPMs to also download the sources.