On Mon, 2006-07-31 at 13:24 -0700, Casey Marshall wrote:
> Most GNU/Linux distributions have packages for a list of root
> certificates, usually as just a bunch of separate PEM files. Does
> Fedora have something like that?
Yes. It looks like openssl ships with certificates. kdelibs does as
well. Perhaps there are others.
> If so, one good way to fix this
> would be to generate a cacerts file (using gkeytool) that contains
> the same list of certificates, and add that to the GCJ RPM. It is
> somewhat preferable for distributions to figure out which root
> certificates they want to use, than for Classpath to arbitrarily
> decide what certificates to include, IMO.
Sounds good. This should probably go in the java-1.4.2-gcj-compat
package (our JDK compatibility layer on top of gcj). We could simply
"BuildRequire" openssl to generate and package the cacerts files.
> Does that make sense? I can explain how to generate such a cacerts
> file from a bunch of separate certificates, if you like.
That would be great. I've never run gkeytool before.
> Additionally, loading cacerts isn't even necessary with Classpath:
> Jessie uses an internal list of root certificates (approximately the
> same list you'll find by default in e.g. Firefox) if no other
> certificates are provided. Nice to see that the RSSOwl people had to
> make this crap so "Easy." A bug (or maybe just some harsh words)
> upstream is also advisable.
Ok.
Thanks,
AG