John Frankish wrote:
Is there a a reason why blfs recommends to install ca-certs in
this way rather than, for example, the way Debian does it?

1. Unless I made a mistake somewhere, the blfs method does not
install anything in /usr/share/ca-certificates/mozilla - I presume
that browsers expect to find something there?

Browsers seem to find certs in /etc/ssl/certs/ just fine when the
browsers are built with BLFS instructions. We do not do anything to
change the default search method.

2. The blfs method does not give the certificates a human readable
name.

The certs in /etc/ssl/certs/ are .pem files.  They are ascii and
readable. /etc/ssl/certs/ca-certificates.crt is ascii and readable.

Sorry, I meant that the cert files have names like
Baltimore_CyberTrust_Root.crt, rather than c8d345a2.crt

3. The blfs certifcates are significantly larger (extraneous
information is stripped out by Debian) - the concatenated file
ca-certificates.crt is four times larger

The ca-bundle.crt for me is 941K.  All files collectively in
/etc/ssl/certs/ are 1.4M. Why do you think this is a problem?

The Debian-style ca-bundle.crt is about 275k - I don't particularly
think this is a problem, but why not go with something smaller if
possible?

4. The symlink ca-certificates.crt -> cacerts.pem is not created.

$ ls -l /etc/ssl/certs/ca-certificates.crt lrwxrwxrwx 1 root root 16
Jan  5  2016 /etc/ssl/certs/ca-certificates.crt -> ../ca-bundle.crt

The openssl conf file mentions a file named cacerts.pem in
/etc/ssl/certs.

5. /etc/ca-certificates.conf (a list of the certificates) is not
created.

Why is this a problem?

I don't say that it's a problem, but the file exists on several of the
distros I checked and is used to list the ca-certs and any locally
added certs - I presume it's there for a reason?

I don't want to change something that works just because others do it differently. However, if you want to submit a proposed change, we will consider it.

Note that we get the data from:

https://hg.mozilla.org/releases/mozilla-release/file/default/security/nss/lib/ckfw/builtins/certdata.txt

We have to parse that (which actually comes as html) to get the raw file and then insert a header to make it compatible with out scripts.

We check for updates daily.

  -- Bruce

--
http://lists.linuxfromscratch.org/listinfo/blfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Reply via email to