guix-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCHES] profiles: Produce a single-file CA certificate bundle


From: Ludovic Courtès
Subject: Re: [PATCHES] profiles: Produce a single-file CA certificate bundle
Date: Tue, 03 Mar 2015 21:04:43 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (gnu/linux)

Mark H Weaver <address@hidden> skribis:

> Fedora's system for handling CA certificates seems to be vastly more
> sophisticated than Debian's.  All of the single-file bundles are
> considered "legacy", and Fedora is able to produce multiple bundles
> containing certs trusted for different purposes.
>
> Doing this job properly will require more research, but it seems to me
> that we should be looking to Fedora for guidance:
>
>   http://pkgs.fedoraproject.org/cgit/ca-certificates.git
>   http://pkgs.fedoraproject.org/cgit/openssl.git
>   http://pkgs.fedoraproject.org/cgit/gnutls.git

Indeed, this looks like a useful source of inspiration.

> Andreas Enge <address@hidden> writes:
>> If we decide to remove certificates, this should not only be done in the
>> aggregation phase into one file. They should be removed at the end of the
>> nss-certs build, so that also the single certificate files will disappear.
>> What is left over can be collected into one file as is done now.
>
> Agreed.  For now, I've pushed my recently proposed commits (to support
> certificate stores in profiles) along with changes to our 'nss-certs'
> package to only install certificates that are annotated with a non-empty
> "openssl-trust=" comment by our 'certdata2pem.py' (from Fedora).

Good.

BTW, since the ‘x509-certificates’ is now gone, I think we should add
‘nss-certs’ to ‘%base-packages’ to get that works-out-of-the-box
property.

WDYT?

Thanks,
Ludo’.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]