Bug 620752

Summary: Review Request: update-ca-certificates - A tool to manage systemwide CA certificates
Product: [Fedora] Fedora Reporter: Sascha Thomas Spreitzer <sspreitzer>
Component: Package ReviewAssignee: David Woodhouse <dwmw2>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: dwmw2, fedora-package-review, sspreitzer
Target Milestone: ---Flags: dwmw2: fedora‑review+
ignatenko: needinfo? (sspreitzer)
kevin: fedora‑cvs+
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-15 08:21:00 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Sascha Thomas Spreitzer 2010-08-03 08:09:58 EDT
Spec URL: http://sspreitzer.fedorapeople.org/update-ca-certificates/update-ca-certificates.spec
SRPM URL: http://sspreitzer.fedorapeople.org/update-ca-certificates/update-ca-certificates-0.1-1.fc13.src.rpm
Description: 
A tool create CA certificates index links for openssl
-

This is to solve a blocker on integration of new openssl certs under /etc/pki/tls/certs
! This is my third package, but i still need a sponsor. !
Comment 1 Sascha Thomas Spreitzer 2010-08-03 08:17:28 EDT
Source of Fedoras update-ca-certificates:
http://sspreitzer.fedorapeople.org/update-ca-certificates/update-ca-certificates-0.1/update-ca-certificates
Comment 2 David Woodhouse 2010-08-03 08:59:30 EDT
I can sponsor you. Thanks very much for looking at this.

One request: please could I ask if you would consider licensing this tool under GPLv2+? I would like to include it in MeeGo too, and we have silly rules about GPLv3. It would be a shame to write *another* separate implementation.

Your tool creates a hashed directory for OpenSSL -- a bit like the OpenSSL c_rehash script. But the Fedora OpenSSL still doesn't *use* such a directory, does it? It's configured only to use a single flat file /etc/pki/tls/cert.pem.

Your sample ca-cacert package adds its certs manually to the NSS database, and presumably it would also call this update-ca-certificates script in its %post script? Perhaps the script should handle *both* tasks for it, to reduce the complexity of the %post and %postun/%preun scripts in the CA packages?

If the script were to take an argument listing the filenames of the certs to add/remove, then it could update *both* the NSS database and the OpenSSL flat file at the same time (or perhaps do the NSS database and then just regenerate the OpenSSL file directly from that?).

I assume you've looked at the Debian update-ca-certificates script? I have mailed the maintainer/author of that script and asked if he's interested in improvements to work well with NSS, but he hasn't responded. But still, if we could do something which is broadly similar in usage then it would be much appreciated by anyone who has to do any cross-distro work in this area.
Comment 3 Sascha Thomas Spreitzer 2010-08-03 10:05:57 EDT
(In reply to comment #2)
> I can sponsor you. Thanks very much for looking at this.

Great news, thank you!

> One request: please could I ask if you would consider licensing this tool under
> GPLv2+? I would like to include it in MeeGo too, and we have silly rules about
> GPLv3. It would be a shame to write *another* separate implementation.

That is ok for me, next upload will be GPLv2+.

> Your tool creates a hashed directory for OpenSSL -- a bit like the OpenSSL
> c_rehash script. But the Fedora OpenSSL still doesn't *use* such a directory,
> does it? It's configured only to use a single flat file /etc/pki/tls/cert.pem.

My copy of Fedoras openssl is *using* the hash.nr files. So I would assume Fedoras OpenSSL is configured to use this kind of directory?

> Your sample ca-cacert package adds its certs manually to the NSS database, and
> presumably it would also call this update-ca-certificates script in its %post
> script? Perhaps the script should handle *both* tasks for it, to reduce the
> complexity of the %post and %postun/%preun scripts in the CA packages?
> 
> If the script were to take an argument listing the filenames of the certs to
> add/remove, then it could update *both* the NSS database and the OpenSSL flat
> file at the same time (or perhaps do the NSS database and then just regenerate
> the OpenSSL file directly from that?).

I thought about an improved version that involves --add/--delete, I think adding a --nss will not be that hard! So, stay tuned for an update. :)

> I assume you've looked at the Debian update-ca-certificates script? I have
> mailed the maintainer/author of that script and asked if he's interested in
> improvements to work well with NSS, but he hasn't responded. But still, if we
> could do something which is broadly similar in usage then it would be much
> appreciated by anyone who has to do any cross-distro work in this area.    

I have taken a look onto debians script and decided to write one from scratch for fedora. Debian deals with its cert management different then Fedora. (eg. paths)
Comment 5 Sascha Thomas Spreitzer 2010-08-04 13:02:47 EDT
Here we go, version 0.2-2;

Spec URL:
http://sspreitzer.fedorapeople.org/update-ca-certificates/update-ca-certificates.spec
SRPM URL:
http://sspreitzer.fedorapeople.org/update-ca-certificates/update-ca-certificates-0.2-2.fc13.src.rpm
Description: 
A tool to manage systemwide CA certificates
-

Source of script:
http://sspreitzer.fedorapeople.org/update-ca-certificates/update-ca-certificates-0.2/update-ca-certificates

-
From Changelog:
* Wed Aug 04 2010 Sascha Thomas Spreitzer <sspreitzer@fedoraproject.org> 0.2-2
- fixed relative path issue, thanks to Sandro "red" Mathys
- add license file and changed license shorttag in spec to reflect GPLv2+
- corrected typos, enhanced description, added verbosity
Comment 6 David Woodhouse 2010-08-04 13:38:26 EDT
Two items in the review guidelines needs review. First, the rpmlint output:

update-ca-certificates.src: W: spelling-error Summary(en_US) systemwide -> system wide, system-wide, systematize
update-ca-certificates.src: W: spelling-error %description -l en_US systemwide -> system wide, system-wide, systematize
update-ca-certificates.noarch: W: spelling-error Summary(en_US) systemwide -> system wide, system-wide, systematize
update-ca-certificates.noarch: W: spelling-error %description -l en_US systemwide -> system wide, system-wide, systematize
update-ca-certificates.noarch: W: no-manual-page-for-binary update-ca-certificates

Add the hyphen it wants, and let's see if we can put together a simple man page.

Also, we should provide a proper upstream for the project, and a place to put release tarballs. Do you have the facility for that already? If not, you can mail me a SSH public key (make sure to use a passphrase) and I can give you an account on {ftp,git}.infradead.org.
Comment 7 Sascha Thomas Spreitzer 2010-08-04 18:51:57 EDT
Hyphens added, man page added, all uploaded.

Requested a fedorahosted.org git repo and trac. :)
https://fedorahosted.org/fedora-infrastructure/ticket/2309
Comment 8 David Woodhouse 2010-08-05 04:11:58 EDT
Excellent; thanks. Approved, with one last caveat -- in your %install stage please use 'install' to install the files and set permissions explicitly, rather than just 'cp'.

I've sponsored you, so I believe the next step is to make the SCM admin request to add the package, as described at http://fedoraproject.org/wiki/Package_SCM_admin_requests
Comment 9 Sascha Thomas Spreitzer 2010-08-05 06:45:00 EDT
Here we go, version 0.2-2;

Spec URL:
https://fedorahosted.org/update-ca-certificates/browser/update-ca-certificates.spec
SRPM URL:
http://sspreitzer.fedorapeople.org/update-ca-certificates/update-ca-certificates-0.2-3.fc13.src.rpm
Description: 
A tool to manage systemwide CA certificates
-

Source of script:
https://fedorahosted.org/update-ca-certificates/browser/src/update-ca-certificates

-
From Changelog:
* Thu Aug 05 2010 Sascha Thomas Spreitzer <sspreitzer@fedoraproject.org> 0.2-3
- Substituted cp with install in spec file
- New fedorahosted.org git repo + trac
- changed dir structure, src/update-ca-certificates

-
NEW git SCM under git://fedorahosted.org/git/update-ca-certificates.git
Trac: https://fedorahosted.org/update-ca-certificates

Proceeding with SCM admin request to add package to fedora
Comment 10 Sascha Thomas Spreitzer 2010-08-05 06:45:50 EDT
(In reply to comment #9)
> Here we go, version 0.2-2;

Ouch! Should be 0.2-3
Comment 11 Sascha Thomas Spreitzer 2010-08-05 06:58:29 EDT
(In reply to comment #8)
> I've sponsored you, so I believe the next step is to make the SCM admin request
> to add the package, as described at
> http://fedoraproject.org/wiki/Package_SCM_admin_requests    

Can you please set the fedora-review flag at this bug to "+" ?
Comment 12 Sascha Thomas Spreitzer 2010-08-05 07:15:26 EDT
New Package SCM Request
=======================
Package Name: update-ca-certificates
Short Description: A tool to manage system-wide CA certificates
Owners: sspreitzer
Branches: f13 f14 el6
InitialCC: dwmw2

-
Waiting for manual sync to be able to set the "fedora-cvs: ?" flag.
Comment 13 Kevin Fenzi 2010-08-05 13:10:25 EDT
Git done (by process-git-requests).
Comment 14 Fedora Update System 2010-08-05 18:37:32 EDT
update-ca-certificates-0.2-3.fc14 has been submitted as an update for Fedora 14.
http://admin.fedoraproject.org/updates/update-ca-certificates-0.2-3.fc14
Comment 15 Fedora Update System 2010-08-18 21:14:47 EDT
update-ca-certificates-0.2-3.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Igor Gnatenko 2016-08-14 11:50:09 EDT
ping?
Comment 17 David Woodhouse 2016-08-15 08:21:00 EDT
This package is retired, obsoleted by update-ca-trust which is found in the ca-certificates package.

Unlike update-ca-certificates (in Debian, Ubuntu and this version in Fedora), the replacement works coherently across the entire distribution, including applications which use NSS.