Following on from a discussion on the distro package dev list, we will require a distro specific root CA certs file for OpenJDK/IcedTea when it reaches a point that I deem 'stable' (see "OT" below sig). Unfortunately, we also need a populated certs file now for gnome keyring in 2.24.3. We have one from OpenSSL and one from Mozilla. I'm considering using the currently shipping file from mozilla.org as outlined here:
http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=270 and here: http://cvs.fedoraproject.org/viewvc/rpms/ca-certificates/F-10/mkcabundle.pl?revision=1.1 Currently we have two usable installed in BLFS (mozilla and openssl). Now I believe that I already have a workable solution as I wrote this e-mail, but we do have two options for piggy backing off of another distro. Debian provides a nice package including mozilla.org cacerts along with additional government and free providers (brazil.gov.br, cacert.org, debconf.org, mozilla.org, quovadis.bm, signet.pl, spi-inc.org, telesec.de). IMO, the RH method is sufficient to explain the issue and users can add what they like, but Debian does a really nice job of breaking out all the providers individually in /usr/share/ca-certificates and combining them in /etc for system use. So new question: Where, which method, and how does it go into the book? Again, I think that the RH method is sufficient, but others may disagree. I'm thinking that the RH script goes into auxfiles along with a generated ca-bundle.crt for the book, a new page and file written for xinclude in packages that can utilize it (such as openssl, gnome-keyring, and JDK off the top of my head) and the generated file placed with other BLFS provided files (like bootscripts and mozconfig and the like). Finally, one other issue that I stumbled across when researching this. OpenSSL gets money from providers to include their cert in the source distribution. Would we be doing a disservice to their devs to suggest using another source. Obviously not if using certs from a not for profit organization, but I _think_ that would exclude the use of the Mozilla provided certs. Comments, corrections, suggestions, other explanations? -- DJ Lucas OT: OpenJDK/IcedTea--IMO, a stable release is at least after another Sun release of OpenJDK, including the official plugin and WebStart as the current open source offerings are not sufficient for my own daily use. -- This message has been scanned for viruses and dangerous content, and is believed to be clean. -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
