[blfs-dev] CA Certificates

Bruce Dubbs bruce.dubbs at gmail.com
Sun Mar 9 18:45:24 PDT 2014

DJ Lucas wrote:
> On 03/06/14 11:15, Bruce Dubbs wrote:
>> Henrik /KaarPoSoft wrote:
>>> Dear all,
>>> On
>>> http://www.linuxfromscratch.org/blfs/view/svn/postlfs/cacerts.html
>>> you indicate to download CA Certificates from:
>>> http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1
>>> However, on the "mxr frontpage"
>>> http://mxr.mozilla.org/
>>> the branch "Mozilla CVS"
>>> http://mxr.mozilla.org/mozilla/
>>> is described as follows:
>>> This contains the entire current CVS repository.
>>> For Gecko, XULRunner, and Firefox, CVS trunk is no longer the trunk,
>>> and is instead used for Gecko 1.9 / Firefox 3 and the 1.9.0.* / 3.0.*
>>> security releases.
>>> So I would like to suggest that alternative sources may be described a well.
>>> See e.g.
>>> http://kaarpux.kaarposoft.dk/packages/c/certdata.html#certificates_from_mozilla
>>> (You are more that welcome to link to this page, if you find it
>>> appropriate).
>>> We are not the only ones struggling to figure out which branch to use.
>>> See e.g. the thread started here:
>>> http://curl.haxx.se/mail/archive-2013-12/0033.html
>>> The integrity of the certdata.txt file is essential,
>>> so I would also like to suggest that
>>> 1) you download from https://hg.mozilla.org/...
>>> 2) you include a sha256 checksum for the file.
>> It would seem that
>> https://hg.mozilla.org/releases/mozilla-release/raw-file/058ed8ee9adf/security/nss/lib/ckfw/builtins/certdata.txt
>> is correct right now, but I don't see a way to specify 'current' or
>> 'latest' for the raw file that we need.
>> We could write a script to download the html and then parse the raw file
>> URL, but that would require downloading a 5M file just to get the url of
>> a 1.5M files.  :(
>> I don't see how we can give a checksum if the file is changing.  We need
>> to let users decide which version they need.
>> I'd be interested in other ideas.
>>      -- Bruce
> Couple of possible suggestions. First, and easiest, leave it alone. I
> know that the file in that repo was updated at least fairly recently.

Really?  When I download that file I get:

CVS_ID "@(#) $RCSfile: certdata.txt,v $ $Revision: 1.87 $ $Date: 
2012/12/29 16:32:45 $"

> I'd imagine it will continue unless they are killing off maintenance on
> 1.9. Second, look at the url in the comments of the perl script which
> was taken from Fedora. It has a link to their package, just follow their
> lead.

That's the same file.

  A third possible solution is to add a comment to the each of the 4
> Mozilla packages to update a copy of the cacerts.txt on Anduin from
> whichever is the latest package at the time of update. Personally, the
> third is my favorite, but it adds editor work.

Well there is 
http://anduin.linuxfromscratch.org/sources/other/certdata.txt  that 
updates daily.  I was thinking of adding a CVS line to it so the scripts 
don't have to change.

The files in the packages are snapshots of those I think.  The issue I 
have is that they need to have a way to identify the version number or 
date the file was updated.

   -- Bruce

More information about the blfs-dev mailing list