On Thursday 01 August 2013, Ludwig Nussel wrote:
Ruediger Meier wrote:
Ok, now I've tried out the new p11-kit* and ca-certificates* packages. It works pretty well but I have a few issues:
Thanks for testing, much appreciated!
If you want you could pull the three ca-certificates* packages from home:rudi_m into your branch. I've made some more less important build fixes and cleanups.
1. It's not nice that /etc/ssl/openssl.cnf is disabled right now. I understand that you want to reduce the Factory packages which are using it. But it's unusable for users who need it. Actually this is completely against the idea to unify the certs stuff and to make it easier to use.
I guess you meant /etc/ssl/ca-bundle.pem? I removed it after I found several packages in Factory that use it despite the clear instructions not to do that inside the file.
Yes ca-bundle.pem, of course.
2. Shouldn't /usr/share/ca-certificates still be parsed for compatibility. What if users have installed custom certs there?
Since packaging extra certs was of limited use before I ignored that case so far.
My case was that I simply wanted to use p11-kit-nss-trust on suse 11.4. and I had to build/update all cert packages just because of incompatible paths.
I'm actually more worried about /etc/ssl/certs. Ideally it should be replaced by a read only bind mount to /var/lib/ca-certificates/pem but I fear that admins put certs there (that are now completely ignored).
Please not another bind mount. If I as an admin want to try something out quick and dirty I really hate such artificial restrictions to protect me against my own stupidity. Couldn't we avoid that update-ca-certificates wipes out /etc/ssl/certs completely. Would it work to use a subdir and to not touch admin's files? Adding /etc/ssl/REAME at least!?
3. Is it correct that ca-certificates-cacerts are installed in /usr/share/pki/trust/anchors/ but ca-certificates-mozilla above in /usr/share/pki/trust/
Yes. Certificates in the "anchors" subdirectory are automatically trusted whereas one level above the certificates need to have trust flags attached to them to be considered (dis)trusted. The Mozilla certs all have (dis)trust bits set.
Ah, ok. cu, Rudi -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org