>>>> Is there a a reason why blfs recommends to install ca-certs in this >>>> way rather than, for example, the way Debian does it? >>>> >>>> 1. Unless I made a mistake somewhere, the blfs method does not >>>> install anything in /usr/share/ca-certificates/mozilla - I presume >>>> that browsers expect to find something there? >>>> >>> Browsers seem to find certs in /etc/ssl/certs/ just fine when the >>> browsers are built with BLFS instructions. We do not do anything to >>> change the default search method. >>> >>>> 2. The blfs method does not give the certificates a human readable >>>> name. >>>> >>> The certs in /etc/ssl/certs/ are .pem files. They are ascii and >>> readable. /etc/ssl/certs/ca-certificates.crt is ascii and readable. >>> >> Sorry, I meant that the cert files have names like >> Baltimore_CyberTrust_Root.crt, rather than c8d345a2.crt >> >>>> 3. The blfs certifcates are significantly larger (extraneous >>>> information is stripped out by Debian) - the concatenated file >>>> ca-certificates.crt is four times larger >>>> >>> The ca-bundle.crt for me is 941K. All files collectively in >>> /etc/ssl/certs/ are 1.4M. Why do you think this is a problem? >>> >> The Debian-style ca-bundle.crt is about 275k - I don't particularly >> think this is a problem, but why not go with something smaller if >> possible? >> >>>> 4. The symlink ca-certificates.crt -> cacerts.pem is not created. >>>> >>> $ ls -l /etc/ssl/certs/ca-certificates.crt lrwxrwxrwx 1 root root 16 >>> Jan 5 2016 /etc/ssl/certs/ca-certificates.crt -> ../ca-bundle.crt >>> >> The openssl conf file mentions a file named cacerts.pem in >> /etc/ssl/certs. >> >>>> 5. /etc/ca-certificates.conf (a list of the certificates) is not >>>> created. >>>> >>> Why is this a problem? >>> >> I don't say that it's a problem, but the file exists on several of the >> distros I checked and is used to list the ca-certs and any locally >> added certs - I presume it's there for a reason? > >I don't want to change something that works just because others do it >differently. >However, if you want to submit a proposed change, we will consider it. > If interested, you could take a look at:
http://http.debian.net/debian/pool/main/c/ca-certificates/ca-certificates_20160104.tar.xz Untar and replace certdata.txt with the file from: http://anduin.linuxfromscratch.org/BLFS/other/certdata.txt make [as root] make install update-ca-certificates -- http://lists.linuxfromscratch.org/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
