Shared System Certificates followup: Packaging Guidelines?

Adam Williamson awilliam at redhat.com
Wed Jan 8 17:16:13 UTC 2014


On Wed, 2014-01-08 at 18:05 +0100, Kai Engert wrote:
> On Mi, 2013-12-11 at 09:59 -0800, Toshio Kuratomi wrote: 
> > Last night someone asked me about a package that they were working on that
> > had a pem file in it.  Looking closer, it seems that the pem file is
> > a cacert bundle.  Looking around, there's not currently documentation on
> > what to do with these.  I did find some information on the wiki, though:
> > 
> >   https://fedoraproject.org/wiki/PackagingDrafts/Certificates
> >   https://fedoraproject.org/wiki/Features/SharedSystemCertificates
> >   https://fedoraproject.org/wiki/Talk:Features/SharedSystemCertificates
> > 
> > I'm by no means an expert in this area but my impression is that the
> > PackagingDraft is made obsolete by the Shared System Certificates Feature.
> > As Killerix and Misc note on the talk page we should probably have some
> > packaging guidelines added that tell us what the expectations are.
> > 
> > The Guideline should answer the following questions:
> > 
> > * Should packages that ship their own cacerts be patched to use Shared
> >   System Certificates instead?  [I think the answer to this is yes]
> 
> Packages, that would like to use a default list of CA certificates,
> should be changed to use (consume) the new consolidated data that we
> provide as part of SharedSystemCertificates.

This could do with some specifics:

[adamw at adam libtorrent (master)]$ rpm -ql ca-certificates | grep -c -e
'pem' -e 'crt'
11
[adamw at adam libtorrent (master)]$ 

which one of those 11 files, exactly, should we have packages use when?
When I came up against this situation recently I threw a dart and
picked /etc/pki/tls/certs/ca-bundle.crt , but I'm hardly certain.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net
http://www.happyassassin.net



More information about the devel mailing list