John Frankish wrote:
Is there a a reason why blfs recommends to install ca-certs in
this way rather than, for example, the way Debian does it?
1. Unless I made a mistake somewhere, the blfs method does not
install anything in /usr/share/ca-certificates/mozilla - I presume
that browsers expect to find something there?
Browsers seem to find certs in /etc/ssl/certs/ just fine when the
browsers are built with BLFS instructions. We do not do anything to
change the default search method.
2. The blfs method does not give the certificates a human readable
name.
The certs in /etc/ssl/certs/ are .pem files. They are ascii and
readable. /etc/ssl/certs/ca-certificates.crt is ascii and readable.
Sorry, I meant that the cert files have names like
Baltimore_CyberTrust_Root.crt, rather than c8d345a2.crt
3. The blfs certifcates are significantly larger (extraneous
information is stripped out by Debian) - the concatenated file
ca-certificates.crt is four times larger
The ca-bundle.crt for me is 941K. All files collectively in
/etc/ssl/certs/ are 1.4M. Why do you think this is a problem?
The Debian-style ca-bundle.crt is about 275k - I don't particularly
think this is a problem, but why not go with something smaller if
possible?
4. The symlink ca-certificates.crt -> cacerts.pem is not created.
$ ls -l /etc/ssl/certs/ca-certificates.crt lrwxrwxrwx 1 root root 16
Jan 5 2016 /etc/ssl/certs/ca-certificates.crt -> ../ca-bundle.crt
The openssl conf file mentions a file named cacerts.pem in
/etc/ssl/certs.
5. /etc/ca-certificates.conf (a list of the certificates) is not
created.
Why is this a problem?
I don't say that it's a problem, but the file exists on several of the
distros I checked and is used to list the ca-certs and any locally
added certs - I presume it's there for a reason?
I don't want to change something that works just because others do it
differently. However, if you want to submit a proposed change, we will
consider it.
Note that we get the data from:
https://hg.mozilla.org/releases/mozilla-release/file/default/security/nss/lib/ckfw/builtins/certdata.txt
We have to parse that (which actually comes as html) to get the raw file
and then insert a header to make it compatible with out scripts.
We check for updates daily.
-- Bruce
--
http://lists.linuxfromscratch.org/listinfo/blfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
