[Bug 474549] Review Request: ca-cacert.org - CAcert.org CA root certificates
bugzilla at redhat.com
bugzilla at redhat.com
Fri Jan 8 19:09:57 UTC 2010
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=474549
David Woodhouse <dwmw2 at infradead.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dwmw2 at infradead.org
Depends on| |466626
--- Comment #12 from David Woodhouse <dwmw2 at infradead.org> 2010-01-08 14:09:51 EDT ---
Technical review... you include these files:
%{pkidir}/tls/certs/%{name}-class1.crt
%{pkidir}/tls/certs/%{class1hash}.0
But that is broken. Nothing will ever use the first, and I'm not even sure if
they'll use the second. Besides, the hash function used is a fairly weak one
and it's quite likely that there will be collisions. You can't just assume that
you can use %{hash}.0 as the file name.
We need a script to rebuild the /etc/pki/tls/cert.pem file from a configurable
list of original certs, like Debian has (see bug #466626). And you should be
using that in your %post script.
You also need to add it to the system-wide NSS database. We have that working
now, and hopefully we'll deploy it in firefox/thunderbird/evolution in time for
Fedora 13. Then we can just add the new cert to the central database in
/etc/pki/nssdb/ and it'll actually work for everything which uses NSS. Our
solution for bug #466626 will need to do that too, presumably.
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
More information about the package-review
mailing list