Re: [blfs-dev] CA Certificates
On 03/06/14 11:15, Bruce Dubbs wrote: Henrik /KaarPoSoft wrote: Dear all, On http://www.linuxfromscratch.org/blfs/view/svn/postlfs/cacerts.html you indicate to download CA Certificates from: http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1 However, on the mxr frontpage http://mxr.mozilla.org/ the branch Mozilla CVS http://mxr.mozilla.org/mozilla/ is described as follows: QUOTE This contains the entire current CVS repository. For Gecko, XULRunner, and Firefox, CVS trunk is no longer the trunk, and is instead used for Gecko 1.9 / Firefox 3 and the 1.9.0.* / 3.0.* security releases. UNQUOTE So I would like to suggest that alternative sources may be described a well. See e.g. http://kaarpux.kaarposoft.dk/packages/c/certdata.html#certificates_from_mozilla (You are more that welcome to link to this page, if you find it appropriate). We are not the only ones struggling to figure out which branch to use. See e.g. the thread started here: http://curl.haxx.se/mail/archive-2013-12/0033.html The integrity of the certdata.txt file is essential, so I would also like to suggest that 1) you download from https://hg.mozilla.org/... 2) you include a sha256 checksum for the file. It would seem that https://hg.mozilla.org/releases/mozilla-release/raw-file/058ed8ee9adf/security/nss/lib/ckfw/builtins/certdata.txt is correct right now, but I don't see a way to specify 'current' or 'latest' for the raw file that we need. We could write a script to download the html and then parse the raw file URL, but that would require downloading a 5M file just to get the url of a 1.5M files. :( I don't see how we can give a checksum if the file is changing. We need to let users decide which version they need. I'd be interested in other ideas. -- Bruce Couple of possible suggestions. First, and easiest, leave it alone. I know that the file in that repo was updated at least fairly recently. I'd imagine it will continue unless they are killing off maintenance on 1.9. Second, look at the url in the comments of the perl script which was taken from Fedora. It has a link to their package, just follow their lead. A third possible solution is to add a comment to the each of the 4 Mozilla packages to update a copy of the cacerts.txt on Anduin from whichever is the latest package at the time of update. Personally, the third is my favorite, but it adds editor work. HTH --DJ -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: [blfs-dev] CA Certificates
DJ Lucas wrote: On 03/06/14 11:15, Bruce Dubbs wrote: Henrik /KaarPoSoft wrote: Dear all, On http://www.linuxfromscratch.org/blfs/view/svn/postlfs/cacerts.html you indicate to download CA Certificates from: http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1 However, on the mxr frontpage http://mxr.mozilla.org/ the branch Mozilla CVS http://mxr.mozilla.org/mozilla/ is described as follows: QUOTE This contains the entire current CVS repository. For Gecko, XULRunner, and Firefox, CVS trunk is no longer the trunk, and is instead used for Gecko 1.9 / Firefox 3 and the 1.9.0.* / 3.0.* security releases. UNQUOTE So I would like to suggest that alternative sources may be described a well. See e.g. http://kaarpux.kaarposoft.dk/packages/c/certdata.html#certificates_from_mozilla (You are more that welcome to link to this page, if you find it appropriate). We are not the only ones struggling to figure out which branch to use. See e.g. the thread started here: http://curl.haxx.se/mail/archive-2013-12/0033.html The integrity of the certdata.txt file is essential, so I would also like to suggest that 1) you download from https://hg.mozilla.org/... 2) you include a sha256 checksum for the file. It would seem that https://hg.mozilla.org/releases/mozilla-release/raw-file/058ed8ee9adf/security/nss/lib/ckfw/builtins/certdata.txt is correct right now, but I don't see a way to specify 'current' or 'latest' for the raw file that we need. We could write a script to download the html and then parse the raw file URL, but that would require downloading a 5M file just to get the url of a 1.5M files. :( I don't see how we can give a checksum if the file is changing. We need to let users decide which version they need. I'd be interested in other ideas. -- Bruce Couple of possible suggestions. First, and easiest, leave it alone. I know that the file in that repo was updated at least fairly recently. Really? When I download that file I get: CVS_ID @(#) $RCSfile: certdata.txt,v $ $Revision: 1.87 $ $Date: 2012/12/29 16:32:45 $ I'd imagine it will continue unless they are killing off maintenance on 1.9. Second, look at the url in the comments of the perl script which was taken from Fedora. It has a link to their package, just follow their lead. That's the same file. A third possible solution is to add a comment to the each of the 4 Mozilla packages to update a copy of the cacerts.txt on Anduin from whichever is the latest package at the time of update. Personally, the third is my favorite, but it adds editor work. Well there is http://anduin.linuxfromscratch.org/sources/other/certdata.txt that updates daily. I was thinking of adding a CVS line to it so the scripts don't have to change. The files in the packages are snapshots of those I think. The issue I have is that they need to have a way to identify the version number or date the file was updated. -- Bruce -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
[blfs-dev] CA Certificates
Dear all, On http://www.linuxfromscratch.org/blfs/view/svn/postlfs/cacerts.html you indicate to download CA Certificates from: http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1 However, on the mxr frontpage http://mxr.mozilla.org/ the branch Mozilla CVS http://mxr.mozilla.org/mozilla/ is described as follows: QUOTE This contains the entire current CVS repository. For Gecko, XULRunner, and Firefox, CVS trunk is no longer the trunk, and is instead used for Gecko 1.9 / Firefox 3 and the 1.9.0.* / 3.0.* security releases. UNQUOTE So I would like to suggest that alternative sources may be described a well. See e.g. http://kaarpux.kaarposoft.dk/packages/c/certdata.html#certificates_from_mozilla (You are more that welcome to link to this page, if you find it appropriate). We are not the only ones struggling to figure out which branch to use. See e.g. the thread started here: http://curl.haxx.se/mail/archive-2013-12/0033.html The integrity of the certdata.txt file is essential, so I would also like to suggest that 1) you download from https://hg.mozilla.org/... 2) you include a sha256 checksum for the file. /Henrik PS: I have some problems with my subscription, so please CC me on any replies. -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: [blfs-dev] CA Certificates
Henrik /KaarPoSoft wrote: Dear all, On http://www.linuxfromscratch.org/blfs/view/svn/postlfs/cacerts.html you indicate to download CA Certificates from: http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1 However, on the mxr frontpage http://mxr.mozilla.org/ the branch Mozilla CVS http://mxr.mozilla.org/mozilla/ is described as follows: QUOTE This contains the entire current CVS repository. For Gecko, XULRunner, and Firefox, CVS trunk is no longer the trunk, and is instead used for Gecko 1.9 / Firefox 3 and the 1.9.0.* / 3.0.* security releases. UNQUOTE So I would like to suggest that alternative sources may be described a well. See e.g. http://kaarpux.kaarposoft.dk/packages/c/certdata.html#certificates_from_mozilla (You are more that welcome to link to this page, if you find it appropriate). We are not the only ones struggling to figure out which branch to use. See e.g. the thread started here: http://curl.haxx.se/mail/archive-2013-12/0033.html The integrity of the certdata.txt file is essential, so I would also like to suggest that 1) you download from https://hg.mozilla.org/... 2) you include a sha256 checksum for the file. It would seem that https://hg.mozilla.org/releases/mozilla-release/raw-file/058ed8ee9adf/security/nss/lib/ckfw/builtins/certdata.txt is correct right now, but I don't see a way to specify 'current' or 'latest' for the raw file that we need. We could write a script to download the html and then parse the raw file URL, but that would require downloading a 5M file just to get the url of a 1.5M files. :( I don't see how we can give a checksum if the file is changing. We need to let users decide which version they need. I'd be interested in other ideas. -- Bruce -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page