On 26 August 2014 21:15, Jan Alexander Steffens <jan.steff...@gmail.com> wrote: > On Sun, Aug 24, 2014 at 11:47 AM, Jan Alexander Steffens > <jan.steff...@gmail.com> wrote: >> Hi guys, >> >> I'm currently at FrOSCon with Pierre and an expert from CAcert.org and >> we're thinking of changes to our certificate setup. >> >> >> The current issues are: >> - Mozilla NSS uses its own root store and not /etc/ssl/certs >> - ca-certificates ships outdated Mozilla roots >> - Shipping additional roots outside ca-certificates is difficult, >> requiring patching /etc/ca-certificates.conf >> >> >> To solve these issues, we thought of making the following changes: >> >> - Attach NSS to p11-kit so it uses our root store (easily done by >> replacing /usr/lib/libnssckbi.so with a symlink to p11-kit-proxy.so) >> - Patch the update-ca-certificates script to read >> /etc/ca-certificates/conf.d instead of /etc/ca-certificates.conf >> - Split the current Mozilla roots from the NSS package in the >> ca-certificates format, shipping >> /etc/ca-certificates/conf.d/mozilla.conf >> - Create a package shipping the CAcert.org roots in a similar way >> - Ship the update-ca-certificates script in a ca-certificates-utils >> package, which the certificate packages depend on >> - ca-certificates becomes a metapackage depending on the -mozilla and >> -cacert packages >> >> Comments are welcome. Unless we get objections, we're going to start >> making these changes. Hopefully we can be done today and push the >> result to [testing]. >> >> Greetings, >> Jan > > Firefox isn't quite happy yet with the change, see > https://bugs.archlinux.org/task/41689: Addons fail to install or > update. > > It seems this is due to Firefox depending on NSS internals - > specifically, addons must be signed by certificates validated by the > built-in trusted root store, which is matched by name. > > Fedora was affected as well: > https://bugzilla.redhat.com/show_bug.cgi?id=966424 > Upstream report, arguing for the check to be removed: > https://bugzilla.mozilla.org/show_bug.cgi?id=880269 > > Now we can: > a. Patch p11-kit to rename the store; the easy way. > b. Patch Firefox and Thunderbird and SeaMonkey to not require the name > to match; the hard way, and the one Fedora chose. > c. Revert the change that links NSS to p11-kit; rather not, as it > makes it really hard to control the root store. > > Opinions?
Hi Pierre, hi Jan, So the "ca-certificates-utils" from testing (20140923-5) declares a "provides" and "conflict" on "ca-certificates-java". Unfortunately jre and jdk packages use a "init-jks-keystore" script provided by "ca-certificates-java" but not "ca-certificates-utils". This scripts only computes file /etc/ssl/certs/java/cacerts which is actually also computed by "update-ca-trust". So I could just make jre and jdk packages depend on ca-certificates-utils and then "ca-certificates-java" could be dropped: is that the whole plan?