Mark H Weaver <m...@netris.org> skribis:

> Fedora's system for handling CA certificates seems to be vastly more
> sophisticated than Debian's.  All of the single-file bundles are
> considered "legacy", and Fedora is able to produce multiple bundles
> containing certs trusted for different purposes.
>
> Doing this job properly will require more research, but it seems to me
> that we should be looking to Fedora for guidance:
>
>   http://pkgs.fedoraproject.org/cgit/ca-certificates.git
>   http://pkgs.fedoraproject.org/cgit/openssl.git
>   http://pkgs.fedoraproject.org/cgit/gnutls.git

Indeed, this looks like a useful source of inspiration.

> Andreas Enge <andr...@enge.fr> writes:
>> If we decide to remove certificates, this should not only be done in the
>> aggregation phase into one file. They should be removed at the end of the
>> nss-certs build, so that also the single certificate files will disappear.
>> What is left over can be collected into one file as is done now.
>
> Agreed.  For now, I've pushed my recently proposed commits (to support
> certificate stores in profiles) along with changes to our 'nss-certs'
> package to only install certificates that are annotated with a non-empty
> "openssl-trust=" comment by our 'certdata2pem.py' (from Fedora).

Good.

BTW, since the ‘x509-certificates’ is now gone, I think we should add
‘nss-certs’ to ‘%base-packages’ to get that works-out-of-the-box
property.

WDYT?

Thanks,
Ludo’.

Reply via email to