Bug#558283: nss: please add a certificate package

Mike Hommey mh at glandium.org
Tue Dec 15 15:23:03 UTC 2009 

Hi Philipp,

On Fri, Nov 27, 2009 at 05:11:53PM +0100, Mike Hommey wrote:
> On Fri, Nov 27, 2009 at 04:53:48PM +0100, Philipp Kern wrote:
> > Package: nss
> > Version: 3.12.4-1
> > Severity: wishlist
> > 
> > Hi Mike,
> > 
> > attached is a proposal for a ca-certificates-nss package.  I had initially
> > thought to name it ca-certificates-mozilla, but considering that we add some
> > certificates through patches it looked a bit like a lie to do it like this.
> > 
> > Currently I fetch certdata.txt myself into the ca-certificates package and
> > then explode it into many files.  I feel that it should instead be done in
> > the data source directly.  Thus I copied the script to debian/.
> > 
> > I implemented a blacklist because the way we organize certificates in the
> > file system does not support negative trust values, thus the one currently
> > in certdata.txt is blocked from the export.
> > 
> > I would revamp ca-certificates in a similar way with subpackages putting
> > certificates into /usr/share/ca-certificates/<suffix> and I then intend to
> > recommend ca-certificates-nss, which should provide us with the basic set
> > almost everyone needs.
> > 
> > Any input on this would be cool.  :-)
> 
> Well, first, thanks. But the attachment is missing ;)
> 
> Secondly, I really don't know... I have to think about it.

Sorry for the delay. I thought a bit more about it, but still haven't
made up my mind.

On one hand, what you want to do is to have ca-certificates data be
somehow magically updated with any new CA certificates that would be
provided by the nss source package in the certdata.txt file.

On the other hand, we should really have one and only one CA
certificate database. The big question is to know how this single
database should be handled. I'm not sure automatically getting the CA
certificates from the ones Mozilla approves is something we would want.
Do we have a formal process to get CA certificates in the
ca-certificates package currently ?

On the last hand (if you are Zaphod Beeblebrox), another known distro is
totally going in another direction, that is to only use one crypto
library[1].

The latter is really not something that is going to happen any soon,
with the number of packages that are using these different crypto
libraries, and seeing how fast Fedora is progressing on this...

As for the certificates we add through patches, they are only here
because we don't have a way (yet) to get ca-certificates to be used by
libnss.

Finally, about the script, I'm pretty sure there is a way to export pem
files from the nss "token" with one of the binaries shipped or not
shipped in libnss3-tools.

These were my thoughts. I don't know where we should be heading from
here.

Cheers,

Mike

1. http://fedoraproject.org/wiki/FedoraCryptoConsolidation

More information about the pkg-mozilla-maintainers mailing list