>> Is there a a reason why blfs recommends to install ca-certs in this >> way rather than, for example, the way Debian does it? >> >> 1. Unless I made a mistake somewhere, the blfs method does not install >> anything in /usr/share/ca-certificates/mozilla - I presume that >> browsers expect to find something there? >> > Browsers seem to find certs in /etc/ssl/certs/ just fine when the browsers > are built with BLFS instructions. > We do not do anything to change the default search method. > >> 2. The blfs method does not give the certificates a human readable name. >> > The certs in /etc/ssl/certs/ are .pem files. They are ascii and readable. > /etc/ssl/certs/ca-certificates.crt is ascii and readable. > Sorry, I meant that the cert files have names like Baltimore_CyberTrust_Root.crt, rather than c8d345a2.crt
>> 3. The blfs certifcates are significantly larger (extraneous >> information is stripped out by Debian) - the concatenated file >> ca-certificates.crt is four times larger >> > The ca-bundle.crt for me is 941K. All files collectively in /etc/ssl/certs/ > are 1.4M. > Why do you think this is a problem? > The Debian-style ca-bundle.crt is about 275k - I don't particularly think this is a problem, but why not go with something smaller if possible? >> 4. The symlink ca-certificates.crt -> cacerts.pem is not created. >> > $ ls -l /etc/ssl/certs/ca-certificates.crt > lrwxrwxrwx 1 root root 16 Jan 5 2016 /etc/ssl/certs/ca-certificates.crt -> > ../ca-bundle.crt > The openssl conf file mentions a file named cacerts.pem in /etc/ssl/certs. >> 5. /etc/ca-certificates.conf (a list of the certificates) is not created. >> > Why is this a problem? > I don't say that it's a problem, but the file exists on several of the distros I checked and is used to list the ca-certs and any locally added certs - I presume it's there for a reason? -- http://lists.linuxfromscratch.org/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
