[Bug 620752] Review Request: update-ca-certificates - A tool to index CA certificates

bugzilla at redhat.com bugzilla at redhat.com
Tue Aug 3 12:59:31 UTC 2010 

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.


https://bugzilla.redhat.com/show_bug.cgi?id=620752

David Woodhouse <dwmw2 at infradead.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dwmw2 at infradead.org

--- Comment #2 from David Woodhouse <dwmw2 at infradead.org> 2010-08-03 08:59:30 EDT ---
I can sponsor you. Thanks very much for looking at this.

One request: please could I ask if you would consider licensing this tool under
GPLv2+? I would like to include it in MeeGo too, and we have silly rules about
GPLv3. It would be a shame to write *another* separate implementation.

Your tool creates a hashed directory for OpenSSL -- a bit like the OpenSSL
c_rehash script. But the Fedora OpenSSL still doesn't *use* such a directory,
does it? It's configured only to use a single flat file /etc/pki/tls/cert.pem.

Your sample ca-cacert package adds its certs manually to the NSS database, and
presumably it would also call this update-ca-certificates script in its %post
script? Perhaps the script should handle *both* tasks for it, to reduce the
complexity of the %post and %postun/%preun scripts in the CA packages?

If the script were to take an argument listing the filenames of the certs to
add/remove, then it could update *both* the NSS database and the OpenSSL flat
file at the same time (or perhaps do the NSS database and then just regenerate
the OpenSSL file directly from that?).

I assume you've looked at the Debian update-ca-certificates script? I have
mailed the maintainer/author of that script and asked if he's interested in
improvements to work well with NSS, but he hasn't responded. But still, if we
could do something which is broadly similar in usage then it would be much
appreciated by anyone who has to do any cross-distro work in this area.

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the package-review mailing list