[blfs-dev] CA Certificates

DJ Lucas dj at lucasit.com
Sun Mar 9 18:17:43 PDT 2014


On 03/06/14 11:15, Bruce Dubbs wrote:
> Henrik /KaarPoSoft wrote:
>> Dear all,
>>
>> On
>> http://www.linuxfromscratch.org/blfs/view/svn/postlfs/cacerts.html
>> you indicate to download CA Certificates from:
>> http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1
>>
>> However, on the "mxr frontpage"
>> http://mxr.mozilla.org/
>> the branch "Mozilla CVS"
>> http://mxr.mozilla.org/mozilla/
>> is described as follows:
>>
>> QUOTE
>> This contains the entire current CVS repository.
>> For Gecko, XULRunner, and Firefox, CVS trunk is no longer the trunk,
>> and is instead used for Gecko 1.9 / Firefox 3 and the 1.9.0.* / 3.0.*
>> security releases.
>> UNQUOTE
>>
>> So I would like to suggest that alternative sources may be described a well.
>> See e.g.
>> http://kaarpux.kaarposoft.dk/packages/c/certdata.html#certificates_from_mozilla
>>
>> (You are more that welcome to link to this page, if you find it
>> appropriate).
>>
>> We are not the only ones struggling to figure out which branch to use.
>> See e.g. the thread started here:
>> http://curl.haxx.se/mail/archive-2013-12/0033.html
>>
>> The integrity of the certdata.txt file is essential,
>> so I would also like to suggest that
>> 1) you download from https://hg.mozilla.org/...
>> 2) you include a sha256 checksum for the file.
> It would seem that
> https://hg.mozilla.org/releases/mozilla-release/raw-file/058ed8ee9adf/security/nss/lib/ckfw/builtins/certdata.txt
> is correct right now, but I don't see a way to specify 'current' or
> 'latest' for the raw file that we need.
>
> We could write a script to download the html and then parse the raw file
> URL, but that would require downloading a 5M file just to get the url of
> a 1.5M files.  :(
>
> I don't see how we can give a checksum if the file is changing.  We need
> to let users decide which version they need.
>
> I'd be interested in other ideas.
>
>     -- Bruce
>
>
Couple of possible suggestions. First, and easiest, leave it alone. I 
know that the file in that repo was updated at least fairly recently. 
I'd imagine it will continue unless they are killing off maintenance on 
1.9. Second, look at the url in the comments of the perl script which 
was taken from Fedora. It has a link to their package, just follow their 
lead. A third possible solution is to add a comment to the each of the 4 
Mozilla packages to update a copy of the cacerts.txt on Anduin from 
whichever is the latest package at the time of update. Personally, the 
third is my favorite, but it adds editor work.

HTH

--DJ




More information about the blfs-dev mailing list