[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCHES] profiles: Produce a single-file CA certificate bundle
From: |
Ludovic Courtès |
Subject: |
Re: [PATCHES] profiles: Produce a single-file CA certificate bundle |
Date: |
Tue, 03 Mar 2015 21:04:43 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.4 (gnu/linux) |
Mark H Weaver <address@hidden> skribis:
> Fedora's system for handling CA certificates seems to be vastly more
> sophisticated than Debian's. All of the single-file bundles are
> considered "legacy", and Fedora is able to produce multiple bundles
> containing certs trusted for different purposes.
>
> Doing this job properly will require more research, but it seems to me
> that we should be looking to Fedora for guidance:
>
> http://pkgs.fedoraproject.org/cgit/ca-certificates.git
> http://pkgs.fedoraproject.org/cgit/openssl.git
> http://pkgs.fedoraproject.org/cgit/gnutls.git
Indeed, this looks like a useful source of inspiration.
> Andreas Enge <address@hidden> writes:
>> If we decide to remove certificates, this should not only be done in the
>> aggregation phase into one file. They should be removed at the end of the
>> nss-certs build, so that also the single certificate files will disappear.
>> What is left over can be collected into one file as is done now.
>
> Agreed. For now, I've pushed my recently proposed commits (to support
> certificate stores in profiles) along with changes to our 'nss-certs'
> package to only install certificates that are annotated with a non-empty
> "openssl-trust=" comment by our 'certdata2pem.py' (from Fedora).
Good.
BTW, since the ‘x509-certificates’ is now gone, I think we should add
‘nss-certs’ to ‘%base-packages’ to get that works-out-of-the-box
property.
WDYT?
Thanks,
Ludo’.