Shared System Certificates followup: Packaging Guidelines?
awilliam at redhat.com
Wed Jan 8 17:16:13 UTC 2014
On Wed, 2014-01-08 at 18:05 +0100, Kai Engert wrote:
> On Mi, 2013-12-11 at 09:59 -0800, Toshio Kuratomi wrote:
> > Last night someone asked me about a package that they were working on that
> > had a pem file in it. Looking closer, it seems that the pem file is
> > a cacert bundle. Looking around, there's not currently documentation on
> > what to do with these. I did find some information on the wiki, though:
> > https://fedoraproject.org/wiki/PackagingDrafts/Certificates
> > https://fedoraproject.org/wiki/Features/SharedSystemCertificates
> > https://fedoraproject.org/wiki/Talk:Features/SharedSystemCertificates
> > I'm by no means an expert in this area but my impression is that the
> > PackagingDraft is made obsolete by the Shared System Certificates Feature.
> > As Killerix and Misc note on the talk page we should probably have some
> > packaging guidelines added that tell us what the expectations are.
> > The Guideline should answer the following questions:
> > * Should packages that ship their own cacerts be patched to use Shared
> > System Certificates instead? [I think the answer to this is yes]
> Packages, that would like to use a default list of CA certificates,
> should be changed to use (consume) the new consolidated data that we
> provide as part of SharedSystemCertificates.
This could do with some specifics:
[adamw at adam libtorrent (master)]$ rpm -ql ca-certificates | grep -c -e
'pem' -e 'crt'
[adamw at adam libtorrent (master)]$
which one of those 11 files, exactly, should we have packages use when?
When I came up against this situation recently I threw a dart and
picked /etc/pki/tls/certs/ca-bundle.crt , but I'm hardly certain.
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net
More information about the devel