On Sun, Aug 24, 2014 at 12:06 PM, Gaetan Bisson <bisson@archlinux.org> wrote:
[2014-08-24 11:47:56 +0200] Jan Alexander Steffens:
- Ship the update-ca-certificates script in a ca-certificates-utils package, which the certificate packages depend on - ca-certificates becomes a metapackage depending on the -mozilla and -cacert packages
So we'd have three ca-certificates-* packages?
If this is this only to allow users to remove the bundles (mozilla or cacert) they do not trust, then couldn't we instead just keep everything in one package; simply putting the files
/etc/ca-certificates/conf.d/{mozilla,cacert}.conf
in the backup array would allow anyone to override them, so disabling a bundle would also be super easy...
Other than the fragmentation of packages (my new pet gripe), your plan sounds great!
I don't want to stick either update-ca-certificates or the CAcert.org certificates into the NSS PKGBUILD, so we will have at least two PKGBUILDs and three packages involved here: ca-certificates/PKGBUILD: - sources: Debian ca-certificates, CACert.org certificates - pkgnames: ca-certificates nss/PKGBUILD: - sources: Mozilla NSS - packages: nss ca-certificates-mozilla Since Debian and CACert.org aren't really related, I wanted to do another split. -cacert and -mozilla both provide packages; the rest is infrastructure. One could conceive of other provider packages. So our proposed setup is: ca-certificates/PKGBUILD: - sources: Debian ca-certificates - pkgnames: ca-certificates ca-certificates-utils ca-certificates-cacert/PKGBUILD: - sources: CACert.org certificates - pkgnames: ca-certificates-cacert nss/PKGBUILD: - sources: Mozilla NSS - pkgnames: nss ca-certificates-mozilla The package ca-certificates is empty and just depends on -mozilla and -cacert to ensure a sane default setup. The package ca-certificates-utils provides ca-certificates, so a minimum install with no certificate provider packages is possible.