Shared System Certificates followup: Packaging Guidelines?

Kai Engert kaie at
Wed Jan 8 19:57:29 UTC 2014

On Mi, 2014-01-08 at 13:38 -0500, Stephen Gallagher wrote: 
> I don't really see this being more likely than an existing application
> just bundling a wrapper script for certificate generation and
> 'update-ca-extract' and quietly running that as part of %post. Just as
> easy to miss and equally effective (with much less trouble).


> I don't think that we can really write policy that eliminates the risk
> of a determined abuse of the available technology.

Probably. What do you think about adding a section to package reviewing
guidelines, which says that packages that add files to the global CA
directories should provide reasoning, and have someone check that
reasoning. It might at least make people aware this is something to be
careful with.


More information about the devel mailing list