On Thu, Oct 06, 2011 at 05:44:54PM +0200, Thomas Bächler wrote:
Am 28.09.2011 17:01, schrieb Dave Reisner:
We patch cacert.org and spi-inc.org into NSS, so that narrows the list a bit. IMHO we should just drop ca-certificates in its current shape and replace it with a dump from our NSS package. We could even discuss about the inclusion of spi-inc.org and cacert certificates.
Sure, I'm very interested in doing this. The current certs package is pretty ugly. Unfortunately, every distro seems to have their own method of managing this.
Did you make any progress on this?
Not really. Life's been a bit busy with a job transition currently happening and a sudden strong desire to jump out of planes [0]. Recent free time went to pushing out a mkinitcpio release. I'll probably have a chance to poke around this weekend as I have some downtime on Saturday. I'm inclined to move in the direction of what Fedora does [1], which is to pull directly from mozilla NSS. That would at least take care of the bundle that we rely on for curl and wget. I'm left wondering where they get their loose certificates from, though, as they aren't included in their ca-certificates package [2]. d [0] http://i.imgur.com/YX9fp.jpg [1] http://pkgs.fedoraproject.org/gitweb/?p=ca-certificates.git [2] https://admin.fedoraproject.org/pkgdb/builds/show/F-devel-x86_64/ca-certific...