From Fedora Project Wiki

Revision as of 10:42, 6 March 2013 by Kengert (talk | contribs)

Done items:

  • prepare NSS for alternatives links (Bug 915818)
  • ship p11-kit with trust module


TODO

  • ship new ca-certificates
    • must conflict with older p11-kit (new ca-cert needs new p11-kit)

Facts:

  • system-manage scripts cannot be in p11-kit, because of multilib.
  • system-manage scripts will be in ca-certificates.NOARCH

Decisions needed:

  • exact path for 2 input directories. proposal:
    • /usr/share/pki/ca-trust-intake/
    • /etc/pki/ca-trust/intake/
  • parent path for extracted output. proposal:
    • /etc/pki/ca-trust/toolkits/[openssl|gnutls]
  • exact path for extractex directories, proposal:

/etc/pki/ca-trust/toolkits/openssl/ /etc/pki/ca-trust/toolkits/openssl/tls-whitelist-bundle.pem /etc/pki/ca-trust/toolkits/openssl/email-whitelist-bundle.pem /etc/pki/ca-trust/toolkits/openssl/objsign-whitelist-bundle.pem /etc/pki/ca-trust/toolkits/openssl/trust-bundle.pem /etc/pki/ca-trust/toolkits/openssl/trusted-hashed/ /etc/pki/ca-trust/toolkits/gnutls/tls-whitelist-bundle.pem -> ../openssl/tls-whitelist-bundle.pem /etc/pki/ca-trust/toolkits/java/cacerts

  • for feature freeze:
    • java
    • gnutls == openssl classic bundle without trust
    • both openssl-directory and openssl-trust bundle?


Tasks for ca-certificates package:

  • requires p11-kit
  • use alternatives for symbolic links? NO
  • it writes to a filename in /usr/share/ - only the trust bundle, not the old bundle
  • installs symlinks to generated files
  • makes backups of old bundles in .rpmsave backup files (in %pre script)
  • calls "p11-kit extract" at install time (in %post script) to create sub-bundle at install time
  • must have re-generate command/script in ca-certificates before feature freeze
  • which tool/script defines the output directory?
    • ca-certificates generation script
    • same package contains READMEs (no PEM headers there)
    • use chmod -w for output dirs ? Make it work.
    • in Readme file, document that
      • files in intake directory without trust = TLS trust only
      • explains that all files inside here are automatically generated by "{tool}", manual changes are not allowed and will be overwritten
      • mention that NSS loads p11-kit-trust.so which directly reads "input"


Tasks for p11-kit:

  • must have Conflicts: nss < first-version-with-alternatives-symlink
  • must use update-alternatives in %post and %postun scripts, priority 30
  • currently uses only the non-trust file as input
  • must change p11-kit to use both /usr/share/ and /etc/ TRUST-BUNDLES by monday
  • later: fix priorities (/usr low priority, /etc high priority)
  • fact (document?): p11-trust ignores all unknown files, ignores subdirs