Why is NSS patched with 'add_spi+cacert_ca_certs.patch' on Alpine?
If I try to update NSS from 3.51.1 to 3.52 and build the package, the following error is generated:
Linux5.4_x86_64_gcc_glibc_PTH_64_OPT.OBJ/certdata.c:14:51: error: 'CKO_NETSCAPE_TRUST' undeclared here (not in a
function); did you mean 'CKO_NSS_TRUST'?
14 | static const CK_OBJECT_CLASS cko_netscape_trust = CKO_NETSCAPE_TRUST;
| ^~~~~~~~~~~~~~~~~~
| CKO_NSS_TRUST
Linux5.4_x86_64_gcc_glibc_PTH_64_OPT.OBJ/certdata.c:17:56: error: 'CKT_NETSCAPE_TRUSTED_DELEGATOR' undeclared her
e (not in a function); did you mean 'CKT_NSS_TRUSTED_DELEGATOR'?
17 | static const CK_TRUST ckt_netscape_trusted_delegator = CKT_NETSCAPE_TRUSTED_DELEGATOR;
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| CKT_NSS_TRUSTED_DELEGATOR
make[3]: *** [../../../coreconf/rules.mk:410: Linux5.4_x86_64_gcc_glibc_PTH_64_OPT.OBJ/certdata.o] Error 1
After removing the patch 'add_spi+cacert_ca_certs.patch', NSS 3.52 will build without problems.
This patch was added in 2010 and last changed in 2013. I see it add various certificates, but I'm not sure why this was/is needed in Alpine? Void Linux does not use the patch. Can anyone explain?
I'm wondering if this could be a security issue with NSS in Alpine? who knows if any of these old certificates added with the patch has been revoked long ago?