Features/SharedSystemCertificates:SubTasks: Difference between revisions

Revision as of 10:42, 6 March 2013

Done items:

prepare NSS for alternatives links (Bug 915818)
ship p11-kit with trust module

TODO

ship new ca-certificates
- must conflict with older p11-kit (new ca-cert needs new p11-kit)

Facts:

system-manage scripts cannot be in p11-kit, because of multilib.
system-manage scripts will be in ca-certificates.NOARCH

Decisions needed:

exact path for 2 input directories. proposal:
- /usr/share/pki/ca-trust-intake/
- /etc/pki/ca-trust/intake/
parent path for extracted output. proposal:
- /etc/pki/ca-trust/toolkits/[openssl|gnutls]
exact path for extractex directories, proposal:

/etc/pki/ca-trust/toolkits/openssl/ /etc/pki/ca-trust/toolkits/openssl/tls-whitelist-bundle.pem /etc/pki/ca-trust/toolkits/openssl/email-whitelist-bundle.pem /etc/pki/ca-trust/toolkits/openssl/objsign-whitelist-bundle.pem /etc/pki/ca-trust/toolkits/openssl/trust-bundle.pem /etc/pki/ca-trust/toolkits/openssl/trusted-hashed/ /etc/pki/ca-trust/toolkits/gnutls/tls-whitelist-bundle.pem -> ../openssl/tls-whitelist-bundle.pem /etc/pki/ca-trust/toolkits/java/cacerts

for feature freeze:
- java
- gnutls == openssl classic bundle without trust
- both openssl-directory and openssl-trust bundle?

Tasks for ca-certificates package:

requires p11-kit
use alternatives for symbolic links? NO
it writes to a filename in /usr/share/ - only the trust bundle, not the old bundle
installs symlinks to generated files
makes backups of old bundles in .rpmsave backup files (in %pre script)
calls "p11-kit extract" at install time (in %post script) to create sub-bundle at install time
must have re-generate command/script in ca-certificates before feature freeze

which tool/script defines the output directory?
- ca-certificates generation script
- same package contains READMEs (no PEM headers there)
- use chmod -w for output dirs ? Make it work.
- in Readme file, document that
  - files in intake directory without trust = TLS trust only
  - explains that all files inside here are automatically generated by "{tool}", manual changes are not allowed and will be overwritten
  - mention that NSS loads p11-kit-trust.so which directly reads "input"

Tasks for p11-kit:

must have Conflicts: nss < first-version-with-alternatives-symlink
must use update-alternatives in %post and %postun scripts, priority 30
currently uses only the non-trust file as input
must change p11-kit to use both /usr/share/ and /etc/ TRUST-BUNDLES by monday
later: fix priorities (/usr low priority, /etc high priority)
fact (document?): p11-trust ignores all unknown files, ignores subdirs

@@ Line 11: / Line 11: @@
 * system-manage scripts cannot be in p11-kit, because of multilib.
 * system-manage scripts will be in ca-certificates.NOARCH
+Decisions needed:
+* exact path for 2 input directories. proposal:
+** /usr/share/pki/ca-trust-intake/
+** /etc/pki/ca-trust/intake/
+* parent path for extracted output. proposal:
+** /etc/pki/ca-trust/toolkits/[openssl|gnutls]
+* exact path for extractex directories, proposal:
+/etc/pki/ca-trust/toolkits/openssl/
+/etc/pki/ca-trust/toolkits/openssl/tls-whitelist-bundle.pem
+/etc/pki/ca-trust/toolkits/openssl/email-whitelist-bundle.pem
+/etc/pki/ca-trust/toolkits/openssl/objsign-whitelist-bundle.pem
+/etc/pki/ca-trust/toolkits/openssl/trust-bundle.pem
+/etc/pki/ca-trust/toolkits/openssl/trusted-hashed/
+/etc/pki/ca-trust/toolkits/gnutls/tls-whitelist-bundle.pem -> ../openssl/tls-whitelist-bundle.pem
+/etc/pki/ca-trust/toolkits/java/cacerts
+* for feature freeze:
+** java
+** gnutls == openssl classic bundle without trust
+** both openssl-directory and openssl-trust bundle?
@@ Line 21: / Line 42: @@
 * calls "p11-kit extract" at install time (in %post script) to create sub-bundle at install time
 * must have re-generate command/script in ca-certificates before feature freeze
+* which tool/script defines the output directory?
+** ca-certificates generation script
+** same package contains READMEs (no PEM headers there)
+** use chmod -w for output dirs ? Make it work.
+** in Readme file, document that
+*** files in intake directory without trust = TLS trust only
+*** explains that all files inside here are automatically generated by "{tool}", manual changes are not allowed and will be overwritten
+*** mention that NSS loads p11-kit-trust.so which directly reads "input"
+Tasks for p11-kit:
+* must have Conflicts: nss < first-version-with-alternatives-symlink
+* must use update-alternatives in %post and %postun scripts, priority 30
+* currently uses only the non-trust file as input
+* must change p11-kit to use both /usr/share/ and /etc/ TRUST-BUNDLES by monday
+* later: fix priorities (/usr low priority, /etc high priority)
+* fact (document?): p11-trust ignores all unknown files, ignores subdirs

Search

Features/SharedSystemCertificates:SubTasks: Difference between revisions

Revision as of 10:42, 6 March 2013