On Tue, Nov 08, 2016 at 12:02:53PM -0600, DJ Lucas wrote: > > > On November 8, 2016 1:47:28 AM CST, Wayne Blaszczyk <[email protected]> > wrote: > >Last I looked at this, comparing nss to firefox tarballs, it seemed to > >me > >at the time that firefox was more current, or maybe I was comparing to > >what > > was in the Mozilla repostitory. I cannot remember now, but for some > >reason > > I switched from nss to firefox. > > Yes, they tend to go back and forth. I *believe* that this has been the > effective policy for the Mozilla products in the book since the inclusion of > standalone NSS (~2008 at best guess), but that needs to be verified. Most > recommended will be the release branch for certdata.txt, with latest always > being NSS tip. > http://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/certdata.txt > > Ultimately, the book needs some policy. The release branch has worked for the > CLI apps for a long time (and obviously FF, SM, and TB). Maybe we could add > some pointers to additional reading, in the book or the wiki, for those who > want (or need) to brave the latest and greatest. Even the perl script > included with curl could be utilized to do a comparison. One could even go so > far as to update the shared nssdb with the modified trust from upstream, but > that's a bit too much for the book IMO. I'm not against making mention of it, > along with the "beyond the scope of the BLFS book" blurb. > > --DJ > For my own current builds, I doubt that whatever happens will make much difference - I always build LWP during my normal desktop builds, and I've obviously only picked up recent certificate changes from a completed system, so I don't need to get fresh certs in the early stages of BLFS.
My one reservation is that at the moment I can look for updated certificates several times a week, if I wish to. Usually I c heck before updating firefox, but also if deprecation of a CA gets mentioned anywhere. I'm not clear if I can still do that *easily* if we move to using an nss (or firefox) release, or whether in practice I'll have to wait for a new release of whichever package you choose. Example: I last updated my certs to 20161030. As of 60 seconds ago the current version is 20161103 - and BOTH of those are newer than the current nss and non-beta firefox. ĸen -- `I shall take my mountains', said Lu-Tze. `The climate will be good for them.' -- Small Gods -- http://lists.linuxfromscratch.org/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
