Ken Moffat wrote:
On Tue, Nov 08, 2016 at 12:02:53PM -0600, DJ Lucas wrote:On November 8, 2016 1:47:28 AM CST, Wayne Blaszczyk <[email protected]> wrote:Last I looked at this, comparing nss to firefox tarballs, it seemed to me at the time that firefox was more current, or maybe I was comparing to what was in the Mozilla repostitory. I cannot remember now, but for some reason I switched from nss to firefox.Yes, they tend to go back and forth. I *believe* that this has been the effective policy for the Mozilla products in the book since the inclusion of standalone NSS (~2008 at best guess), but that needs to be verified. Most recommended will be the release branch for certdata.txt, with latest always being NSS tip. http://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/certdata.txt Ultimately, the book needs some policy. The release branch has worked for the CLI apps for a long time (and obviously FF, SM, and TB). Maybe we could add some pointers to additional reading, in the book or the wiki, for those who want (or need) to brave the latest and greatest. Even the perl script included with curl could be utilized to do a comparison. One could even go so far as to update the shared nssdb with the modified trust from upstream, but that's a bit too much for the book IMO. I'm not against making mention of it, along with the "beyond the scope of the BLFS book" blurb. --DJFor my own current builds, I doubt that whatever happens will make much difference - I always build LWP during my normal desktop builds, and I've obviously only picked up recent certificate changes from a completed system, so I don't need to get fresh certs in the early stages of BLFS. My one reservation is that at the moment I can look for updated certificates several times a week, if I wish to. Usually I c heck before updating firefox, but also if deprecation of a CA gets mentioned anywhere. I'm not clear if I can still do that *easily* if we move to using an nss (or firefox) release, or whether in practice I'll have to wait for a new release of whichever package you choose. Example: I last updated my certs to 20161030. As of 60 seconds ago the current version is 20161103 - and BOTH of those are newer than the current nss and non-beta firefox.
I've stayed out of this discussion mostly because I don't want to interfere with progress in allowing for local or java certs. For regular certs used by a browser, I still prefer the method we had before because of reasons Ken gives above. The certs on anduin are checked daily from the hg.mozilla.org site. If upstream makes changes, a one line header is added simulating a CVS header and then posted for users.
I do not want to discourage changes, but there are advantages and disadvantages to different methods. The issue is which is best for the book.
The script on anduin is attached. -- Bruce
get-certdata.sh
Description: Bourne shell script
-- http://lists.linuxfromscratch.org/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
