On Wed, Dec 11, 2013 at 8:07 PM, Miloslav Trmač <m...@volny.cz> wrote: > On Wed, Dec 11, 2013 at 6:59 PM, Toshio Kuratomi <a.bad...@gmail.com> wrote: >> * Should packages that ship their own cacerts be patched to use Shared >> System Certificates instead? [I think the answer to this is yes] >> * If the package contains a cacert that is not in our bundle, should those >> be added? >> * How does a package add a cacert to our existing bundle? > > The preference I've heard earlier is to use ca-certificates as the > only authority (and ca-certificates using the Mozilla CA set without > making similar decisions at the Fedora level, because we don't have > any resources to do CA vetting), and disallow other packages from > shipping and installing any other system-wide CA certificate. > > I suppose setting up some kind of site-wide mechanism like freeipa > could also install a CA certificate, but it would be a generated > certificate not shipped by a package, and it would have to be an > explicit administrator's action. > > This makes sense to me; if there are cases that this can't account > for, please speak up.
I have a package that puts certificates into /usr/share/(esteid/certs/). It isn't part of Fedora yet, but I've been hoping get it accepted into the Fedora repository and replacing current Fedora (Google Code) packages for working with Estonian ID (smart) cards. My package, esteidcerts, is provided by the Estonian Certification Centre, the CA for Estonia. I'm open to suggestions regarding how I should handle these certificates. The Centre has told me that the Google Code packages have known vulnerabilities, and this is why I have an interest in replacing them. More details Latest Estonian Certification Centre source: https://installer.id.ee/media/sources/ RPMs for F17 (the Centre is no longer building RPMs for Fedora): https://installer.id.ee/media/fedora/17/RPMS/ Google Code packages include esteid-browser-plugin, libdigidoc, libdigidocpp, mozilla-esteid, smartcardpp Fred -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
