From Fedora Project Wiki
< Features
Done items:
- prepare NSS for alternatives links (Bug 915818)
- ship p11-kit with trust module
TODO
- ship new ca-certificates
- must conflict with older p11-kit (new ca-cert needs new p11-kit)
Facts:
- system-manage scripts cannot be in p11-kit, because of multilib.
- system-manage scripts will be in ca-certificates.NOARCH
Decisions needed:
- exact path for 2 input directories. proposal:
- /usr/share/pki/ca-trust-intake/
- /etc/pki/ca-trust/intake/
- parent path for extracted output. proposal:
- /etc/pki/ca-trust/toolkits/[openssl|gnutls]
- exact path for extractex directories, proposal:
/etc/pki/ca-trust/toolkits/openssl/ /etc/pki/ca-trust/toolkits/openssl/tls-whitelist-bundle.pem /etc/pki/ca-trust/toolkits/openssl/email-whitelist-bundle.pem /etc/pki/ca-trust/toolkits/openssl/objsign-whitelist-bundle.pem /etc/pki/ca-trust/toolkits/openssl/trust-bundle.pem /etc/pki/ca-trust/toolkits/openssl/trusted-hashed/ /etc/pki/ca-trust/toolkits/gnutls/tls-whitelist-bundle.pem -> ../openssl/tls-whitelist-bundle.pem /etc/pki/ca-trust/toolkits/java/cacerts
- for feature freeze:
- java
- gnutls == openssl classic bundle without trust
- both openssl-directory and openssl-trust bundle?
Tasks for ca-certificates package:
- requires p11-kit
- use alternatives for symbolic links? NO
- it writes to a filename in /usr/share/ - only the trust bundle, not the old bundle
- installs symlinks to generated files
- makes backups of old bundles in .rpmsave backup files (in %pre script)
- calls "p11-kit extract" at install time (in %post script) to create sub-bundle at install time
- must have re-generate command/script in ca-certificates before feature freeze
- which tool/script defines the output directory?
- ca-certificates generation script
- same package contains READMEs (no PEM headers there)
- use chmod -w for output dirs ? Make it work.
- in Readme file, document that
- files in intake directory without trust = TLS trust only
- explains that all files inside here are automatically generated by "{tool}", manual changes are not allowed and will be overwritten
- mention that NSS loads p11-kit-trust.so which directly reads "input"
Tasks for p11-kit:
- must have Conflicts: nss < first-version-with-alternatives-symlink
- must use update-alternatives in %post and %postun scripts, priority 30
- currently uses only the non-trust file as input
- must change p11-kit to use both /usr/share/ and /etc/ TRUST-BUNDLES by monday
- later: fix priorities (/usr low priority, /etc high priority)
- fact (document?): p11-trust ignores all unknown files, ignores subdirs