[arch-dev-public] Rethinking our CA certificate setup

Jan Alexander Steffens jan.steffens at gmail.com
Sun Aug 24 06:40:16 EDT 2014

On Sun, Aug 24, 2014 at 12:06 PM, Gaetan Bisson <bisson at archlinux.org> wrote:
> [2014-08-24 11:47:56 +0200] Jan Alexander Steffens:
>> - Ship the update-ca-certificates script in a ca-certificates-utils
>> package, which the certificate packages depend on
>> - ca-certificates becomes a metapackage depending on the -mozilla and
>> -cacert packages
> So we'd have three ca-certificates-* packages?
> If this is this only to allow users to remove the bundles (mozilla or
> cacert) they do not trust, then couldn't we instead just keep everything
> in one package; simply putting the files
>         /etc/ca-certificates/conf.d/{mozilla,cacert}.conf
> in the backup array would allow anyone to override them, so disabling a
> bundle would also be super easy...
> Other than the fragmentation of packages (my new pet gripe), your plan
> sounds great!

I don't want to stick either update-ca-certificates or the CAcert.org
certificates into the NSS PKGBUILD, so we will have at least two
PKGBUILDs and three packages involved here:

- sources: Debian ca-certificates, CACert.org certificates
- pkgnames: ca-certificates

- sources: Mozilla NSS
- packages: nss ca-certificates-mozilla

Since Debian and CACert.org aren't really related, I wanted to do
another split. -cacert and -mozilla both provide packages; the rest is
infrastructure. One could conceive of other provider packages. So our
proposed setup is:

- sources: Debian ca-certificates
- pkgnames: ca-certificates ca-certificates-utils

- sources: CACert.org certificates
- pkgnames: ca-certificates-cacert

- sources: Mozilla NSS
- pkgnames: nss ca-certificates-mozilla

The package ca-certificates is empty and just depends on -mozilla and
-cacert to ensure a sane default setup.
The package ca-certificates-utils provides ca-certificates, so a
minimum install with no certificate provider packages is possible.

More information about the arch-dev-public mailing list