[arch-dev-public] Rethinking our CA certificate setup

Jan Alexander Steffens jan.steffens at gmail.com
Sun Aug 24 06:40:16 EDT 2014 

On Sun, Aug 24, 2014 at 12:06 PM, Gaetan Bisson <bisson at archlinux.org> wrote:
> [2014-08-24 11:47:56 +0200] Jan Alexander Steffens:
>> - Ship the update-ca-certificates script in a ca-certificates-utils
>> package, which the certificate packages depend on
>> - ca-certificates becomes a metapackage depending on the -mozilla and
>> -cacert packages
>
> So we'd have three ca-certificates-* packages?
>
> If this is this only to allow users to remove the bundles (mozilla or
> cacert) they do not trust, then couldn't we instead just keep everything
> in one package; simply putting the files
>
>         /etc/ca-certificates/conf.d/{mozilla,cacert}.conf
>
> in the backup array would allow anyone to override them, so disabling a
> bundle would also be super easy...
>
> Other than the fragmentation of packages (my new pet gripe), your plan
> sounds great!

I don't want to stick either update-ca-certificates or the CAcert.org
certificates into the NSS PKGBUILD, so we will have at least two
PKGBUILDs and three packages involved here:

ca-certificates/PKGBUILD:
- sources: Debian ca-certificates, CACert.org certificates
- pkgnames: ca-certificates

nss/PKGBUILD:
- sources: Mozilla NSS
- packages: nss ca-certificates-mozilla

Since Debian and CACert.org aren't really related, I wanted to do
another split. -cacert and -mozilla both provide packages; the rest is
infrastructure. One could conceive of other provider packages. So our
proposed setup is:

ca-certificates/PKGBUILD:
- sources: Debian ca-certificates
- pkgnames: ca-certificates ca-certificates-utils

ca-certificates-cacert/PKGBUILD:
- sources: CACert.org certificates
- pkgnames: ca-certificates-cacert

nss/PKGBUILD:
- sources: Mozilla NSS
- pkgnames: nss ca-certificates-mozilla

The package ca-certificates is empty and just depends on -mozilla and
-cacert to ensure a sane default setup.
The package ca-certificates-utils provides ca-certificates, so a
minimum install with no certificate provider packages is possible.

More information about the arch-dev-public mailing list