Bug#309564: cacert certificate

Mike Hommey mh at glandium.org
Sat Jul 12 12:17:17 UTC 2008


On Sat, Jul 12, 2008 at 02:02:31PM +0200, martin f krafft wrote:
> tags 309564 patch
> thanks
> 
> also sprach martin f krafft <madduck at debian.org> [2008.07.11.1206 +0200]:
> > Mike Hommey pointed me to
> > mozilla/security/nss/lib/ckfw/builtins/README in the nss source for
> > the fastest way to get CAcert's cert in for lenny
> 
> I followed those instructions, added the two CAcert certificates and
> the SPI Inc. 2008 certificate, bumped the library version to 1.71,
> and produced the attached patch.
> 
> I have tried the new package and can verify that it works. I have
> also verified the fingerprints with another person looking over my
> shoulder.
> 
> The only thing I don't like now is that the CAcert certs show up
> under "Root CA", which is the CN they use. I don't think there's
> anything we can do about it though.
> 
> Looking at the list of certs Mozilla ships by default, I'd say this
> patch should go upstream! If anyone objects because of trust issues,
> I'd like to see trust paths for all the CAs that are being provided,
> many of which don't even provide URLs or policies. But this is
> another issue.

Thanks Martin. I only have one concern with your patch (well, two,
actually): I'm not sure how the library version is being used, but
surely, we should take care there won't be a problem with us having a
somehow conflicting version number with upstream (next time they add a
CA, they are likely to use this version ; are we going to keep
increasing this version compared to upstream ?)

My second concern is that your patch looks like a NUMdiff, but is not
using dpatch like the rest of the package. But don't care too much about
that, that's just nitpicking ;)

Mike





More information about the pkg-mozilla-maintainers mailing list