Spec URL: http://sspreitzer.fedorapeople.org/update-ca-certificates/update-ca-certificates.spec SRPM URL: http://sspreitzer.fedorapeople.org/update-ca-certificates/update-ca-certificates-0.1-1.fc13.src.rpm Description: A tool create CA certificates index links for openssl - This is to solve a blocker on integration of new openssl certs under /etc/pki/tls/certs ! This is my third package, but i still need a sponsor. !
Source of Fedoras update-ca-certificates: http://sspreitzer.fedorapeople.org/update-ca-certificates/update-ca-certificates-0.1/update-ca-certificates
I can sponsor you. Thanks very much for looking at this. One request: please could I ask if you would consider licensing this tool under GPLv2+? I would like to include it in MeeGo too, and we have silly rules about GPLv3. It would be a shame to write *another* separate implementation. Your tool creates a hashed directory for OpenSSL -- a bit like the OpenSSL c_rehash script. But the Fedora OpenSSL still doesn't *use* such a directory, does it? It's configured only to use a single flat file /etc/pki/tls/cert.pem. Your sample ca-cacert package adds its certs manually to the NSS database, and presumably it would also call this update-ca-certificates script in its %post script? Perhaps the script should handle *both* tasks for it, to reduce the complexity of the %post and %postun/%preun scripts in the CA packages? If the script were to take an argument listing the filenames of the certs to add/remove, then it could update *both* the NSS database and the OpenSSL flat file at the same time (or perhaps do the NSS database and then just regenerate the OpenSSL file directly from that?). I assume you've looked at the Debian update-ca-certificates script? I have mailed the maintainer/author of that script and asked if he's interested in improvements to work well with NSS, but he hasn't responded. But still, if we could do something which is broadly similar in usage then it would be much appreciated by anyone who has to do any cross-distro work in this area.
(In reply to comment #2) > I can sponsor you. Thanks very much for looking at this. Great news, thank you! > One request: please could I ask if you would consider licensing this tool under > GPLv2+? I would like to include it in MeeGo too, and we have silly rules about > GPLv3. It would be a shame to write *another* separate implementation. That is ok for me, next upload will be GPLv2+. > Your tool creates a hashed directory for OpenSSL -- a bit like the OpenSSL > c_rehash script. But the Fedora OpenSSL still doesn't *use* such a directory, > does it? It's configured only to use a single flat file /etc/pki/tls/cert.pem. My copy of Fedoras openssl is *using* the hash.nr files. So I would assume Fedoras OpenSSL is configured to use this kind of directory? > Your sample ca-cacert package adds its certs manually to the NSS database, and > presumably it would also call this update-ca-certificates script in its %post > script? Perhaps the script should handle *both* tasks for it, to reduce the > complexity of the %post and %postun/%preun scripts in the CA packages? > > If the script were to take an argument listing the filenames of the certs to > add/remove, then it could update *both* the NSS database and the OpenSSL flat > file at the same time (or perhaps do the NSS database and then just regenerate > the OpenSSL file directly from that?). I thought about an improved version that involves --add/--delete, I think adding a --nss will not be that hard! So, stay tuned for an update. :) > I assume you've looked at the Debian update-ca-certificates script? I have > mailed the maintainer/author of that script and asked if he's interested in > improvements to work well with NSS, but he hasn't responded. But still, if we > could do something which is broadly similar in usage then it would be much > appreciated by anyone who has to do any cross-distro work in this area. I have taken a look onto debians script and decided to write one from scratch for fedora. Debian deals with its cert management different then Fedora. (eg. paths)
Here we go, version 0.2; Spec URL: http://sspreitzer.fedorapeople.org/update-ca-certificates/update-ca-certificates.spec SRPM URL: http://sspreitzer.fedorapeople.org/update-ca-certificates/update-ca-certificates-0.2-1.fc13.src.rpm Description: A tool create CA certificates index links for openssl - Source of script: http://sspreitzer.fedorapeople.org/update-ca-certificates/update-ca-certificates-0.2/update-ca-certificates
Here we go, version 0.2-2; Spec URL: http://sspreitzer.fedorapeople.org/update-ca-certificates/update-ca-certificates.spec SRPM URL: http://sspreitzer.fedorapeople.org/update-ca-certificates/update-ca-certificates-0.2-2.fc13.src.rpm Description: A tool to manage systemwide CA certificates - Source of script: http://sspreitzer.fedorapeople.org/update-ca-certificates/update-ca-certificates-0.2/update-ca-certificates - From Changelog: * Wed Aug 04 2010 Sascha Thomas Spreitzer <sspreitzer> 0.2-2 - fixed relative path issue, thanks to Sandro "red" Mathys - add license file and changed license shorttag in spec to reflect GPLv2+ - corrected typos, enhanced description, added verbosity
Two items in the review guidelines needs review. First, the rpmlint output: update-ca-certificates.src: W: spelling-error Summary(en_US) systemwide -> system wide, system-wide, systematize update-ca-certificates.src: W: spelling-error %description -l en_US systemwide -> system wide, system-wide, systematize update-ca-certificates.noarch: W: spelling-error Summary(en_US) systemwide -> system wide, system-wide, systematize update-ca-certificates.noarch: W: spelling-error %description -l en_US systemwide -> system wide, system-wide, systematize update-ca-certificates.noarch: W: no-manual-page-for-binary update-ca-certificates Add the hyphen it wants, and let's see if we can put together a simple man page. Also, we should provide a proper upstream for the project, and a place to put release tarballs. Do you have the facility for that already? If not, you can mail me a SSH public key (make sure to use a passphrase) and I can give you an account on {ftp,git}.infradead.org.
Hyphens added, man page added, all uploaded. Requested a fedorahosted.org git repo and trac. :) https://fedorahosted.org/fedora-infrastructure/ticket/2309
Excellent; thanks. Approved, with one last caveat -- in your %install stage please use 'install' to install the files and set permissions explicitly, rather than just 'cp'. I've sponsored you, so I believe the next step is to make the SCM admin request to add the package, as described at http://fedoraproject.org/wiki/Package_SCM_admin_requests
Here we go, version 0.2-2; Spec URL: https://fedorahosted.org/update-ca-certificates/browser/update-ca-certificates.spec SRPM URL: http://sspreitzer.fedorapeople.org/update-ca-certificates/update-ca-certificates-0.2-3.fc13.src.rpm Description: A tool to manage systemwide CA certificates - Source of script: https://fedorahosted.org/update-ca-certificates/browser/src/update-ca-certificates - From Changelog: * Thu Aug 05 2010 Sascha Thomas Spreitzer <sspreitzer> 0.2-3 - Substituted cp with install in spec file - New fedorahosted.org git repo + trac - changed dir structure, src/update-ca-certificates - NEW git SCM under git://fedorahosted.org/git/update-ca-certificates.git Trac: https://fedorahosted.org/update-ca-certificates Proceeding with SCM admin request to add package to fedora
(In reply to comment #9) > Here we go, version 0.2-2; Ouch! Should be 0.2-3
(In reply to comment #8) > I've sponsored you, so I believe the next step is to make the SCM admin request > to add the package, as described at > http://fedoraproject.org/wiki/Package_SCM_admin_requests Can you please set the fedora-review flag at this bug to "+" ?
New Package SCM Request ======================= Package Name: update-ca-certificates Short Description: A tool to manage system-wide CA certificates Owners: sspreitzer Branches: f13 f14 el6 InitialCC: dwmw2 - Waiting for manual sync to be able to set the "fedora-cvs: ?" flag.
Git done (by process-git-requests).
update-ca-certificates-0.2-3.fc14 has been submitted as an update for Fedora 14. http://admin.fedoraproject.org/updates/update-ca-certificates-0.2-3.fc14
update-ca-certificates-0.2-3.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
ping?
This package is retired, obsoleted by update-ca-trust which is found in the ca-certificates package. Unlike update-ca-certificates (in Debian, Ubuntu and this version in Fedora), the replacement works coherently across the entire distribution, including applications which use NSS.
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days