Mark H Weaver <m...@netris.org> skribis: > Fedora's system for handling CA certificates seems to be vastly more > sophisticated than Debian's. All of the single-file bundles are > considered "legacy", and Fedora is able to produce multiple bundles > containing certs trusted for different purposes. > > Doing this job properly will require more research, but it seems to me > that we should be looking to Fedora for guidance: > > http://pkgs.fedoraproject.org/cgit/ca-certificates.git > http://pkgs.fedoraproject.org/cgit/openssl.git > http://pkgs.fedoraproject.org/cgit/gnutls.git
Indeed, this looks like a useful source of inspiration. > Andreas Enge <andr...@enge.fr> writes: >> If we decide to remove certificates, this should not only be done in the >> aggregation phase into one file. They should be removed at the end of the >> nss-certs build, so that also the single certificate files will disappear. >> What is left over can be collected into one file as is done now. > > Agreed. For now, I've pushed my recently proposed commits (to support > certificate stores in profiles) along with changes to our 'nss-certs' > package to only install certificates that are annotated with a non-empty > "openssl-trust=" comment by our 'certdata2pem.py' (from Fedora). Good. BTW, since the ‘x509-certificates’ is now gone, I think we should add ‘nss-certs’ to ‘%base-packages’ to get that works-out-of-the-box property. WDYT? Thanks, Ludo’.