On Wed, Dec 11, 2013 at 6:59 PM, Toshio Kuratomi <a.bad...@gmail.com> wrote:
> I'm by no means an expert in this area but my impression is that the
> PackagingDraft is made obsolete by the Shared System Certificates Feature.
Shared system certificates are unrelated to application-specific
certificates and private keys, and to some extent even to
application-specific (or specifically-per-application-configured) CA
certificates.
> * Should packages that ship their own cacerts be patched to use Shared
> System Certificates instead? [I think the answer to this is yes]
> * If the package contains a cacert that is not in our bundle, should those
> be added?
> * How does a package add a cacert to our existing bundle?
The preference I've heard earlier is to use ca-certificates as the
only authority (and ca-certificates using the Mozilla CA set without
making similar decisions at the Fedora level, because we don't have
any resources to do CA vetting), and disallow other packages from
shipping and installing any other system-wide CA certificate.
I suppose setting up some kind of site-wide mechanism like freeipa
could also install a CA certificate, but it would be a generated
certificate not shipped by a package, and it would have to be an
explicit administrator's action.
This makes sense to me; if there are cases that this can't account
for, please speak up.
Mirek
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
