[Nut-upsdev] NSS support in trunk (was: NSS branch pull request)

Fri Oct 12 22:55:27 UTC 2012

2012/10/12 Emilien Kia <kiae.dev at gmail.com>

> Hi guys,
>

Hi Emilien and the list,

This is a pull request to finally merge NSS feature in nut trunk:
> https://github.com/clepple/nut/pull/3
>

I'd like to take a moment to shed some more light on this important
development, which lasted 3 years:

- the initial request<http://lists.alioth.debian.org/pipermail/nut-upsdev/2009-September/004023.html>to
support Mozilla NSS (Network Security Services) was made by Michal
Hlavinka (from Redhat) in September 2009.
at that time, Redhat was pushing an effort to consolidate cryptographic
services <http://fedoraproject.org/wiki/FedoraCryptoConsolidation> in
Fedora.
The same was true on the side of Suse / Novell (Stanislav Brabec).

- as a Debian developer, I was very interested in the topic:
for legal reasons, NUT can't be linked with OpenSSL without exiting from
the 'main' Debian repository.
since NSS is distributed under 3 licenses, including GPL, it will fix the
missing crypto in Debian (and derivatives) NUT packages!

- as a NUT dev, I made a preliminary audit a few months later: Alioth Task
#456<https://alioth.debian.org/pm/task.php?func=detailtask&project_task_id=456&group_id=30602&group_project_id=315>(SSL
support using Mozilla NSS).
but lacking time on my side, another person was needed to work on it.

- this happened through the Eaton sponsorship, half a year later:
Emilien, a very knowledgeable and skilled in IT security and software
development (perfect profile for this task), started to work on the topic.

- actual development happened over 2 months (dec. 2010-jan. 2011), executed
perfectly as planned.
it successfully passed tests, and only received very few adjustments later.

- some merge preparations were attempted over the past year. but the actual
merge never happened, for various reasons.

- Emilien devoted a lot of energy and personal time, over the past week, to
get the merge approval.
so thanks a lot, and kudos Emilien! you did it ;)

- thus my review was easier and quicker. it resulted in my approval, with a
tiny (but not minor) adjustment.
namely, libupsclient version information was not bumped (my fault!).
however, some improvements are already planned and will be tracked soon on
Alioth.

- Frédéric Bohé (from Eaton) also deserve his bunch of thanks, for having
executed the NSS tests... several times over the past couple of years. so
thanks a lot Fred. Wookiee power!

- the final thanks goes to Charles Lepple, who counter approved the github
pull request, and handled the final merge to the official development tree,
a few hours ago:

> http://trac.networkupstools.org/projects/nut/changeset/3751
>
> Add Network Security Services (NSS) support
>
> Author: Emilien Kia <kiae.dev at gmail.com>
>
> Based on SVN: branches/ssl-nss-port
>
> Closes pull request #3: https://github.com/clepple/nut/pull/3
>
> Additional commits by Arnaud Quette and Arjen de Korte.

- the compilation is successful on our
Buildbots<http://buildbot.networkupstools.org/public/nut/builders>,
except on Aix (not available, offline) and Windows (not applicable).

- Emilien and I will work on completing the QA regression test script for
NUT<http://bazaar.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master/view/head:/scripts/test-nut.py>for
NSS.
for the time being, all the (few) current tests pass on the new trunk:

> test_CVE_2012_2944 (__main__.BasicTest)
> Test CVE-2012-2944 ... ok
> test_daemons_pid (__main__.BasicTest)
> Test daemons using PID files ... ok
> test_daemons_service (__main__.BasicTest)
> Test daemons using "service status" ... ok
> test_upsc_device_list (__main__.BasicTest)
> Test NUT client interface (upsc): device(s) listing ... ok
> test_upsd_IPv4 (__main__.BasicTest)
> Test upsd IPv4 reachability ... ok
> test_upsd_IPv6 (__main__.BasicTest)
> Test upsd IPv6 reachability ... ok
> test_upsmon_notif (__main__.BasicTest)
> Test upsmon notifications ... ok
> test_upsmon_shutdown (__main__.BasicTest)
> Test upsmon basic shutdown (single UPS, low battery status) ... ok
> test_upsrw (__main__.BasicTest)
> Test upsrw ... ok

...
> The DVT have been successfully passed by Fred Bohe (Eaton).
>

for those interested in, this tests validation report is available
here<http://www.networkupstools.org/tmp/NUT-NSS_Mini_DVT_exec10Oct2012-FBohe.pdf>
.

the current plan is still to release NSS support with 2.8.0.
I will discuss, in a separate thread on -upsusers, the progress status of
the 2.8.0.

in the meantime, a
snapshot<http://www.networkupstools.org/source/2.8/nut-trunk-r3751.tar.gz>is
available for testing.
you will need to have NSS development files, to use "configure --with-nss".
refer to docs/security.txt, § "NSS backend usage" for configuration
instructions.
I will post a blog entry with more details.

it's sometime a long road to reach the target.
thanks again to Emilien, Fred and Charles.
and to Eaton for this sponsorship.

cheers,
Arnaud
-- 
Network UPS Tools (NUT) Project Leader - http://www.networkupstools.org
Debian Developer - http://www.debian.org
Free Software Developer - http://arnaud.quette.fr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/nut-upsdev/attachments/20121013/1d078aa7/attachment.html>