Re: [Freepto] v1.0beta2 released

Delete this message

Reply to this message
Author: boyska
Date:  
To: freepto
Subject: Re: [Freepto] v1.0beta2 released
On Mon, Oct 13, 2014 at 09:20:11PM +0000, vinc3nt wrote:
>>> * Create a Freepto CA and include It
>>> https://github.com/AvANa-BBS/freepto-lb/issues/146
>>> assigned to vinc3nt
>>
>> It seems that there has been some love on this (the freepto-certificates
>> package has been created).
>> vinc3nt, can you clarify if it is going to be a RFT or if there is still
>> something to do?
>
>
>the freepto-certificates package has been created, and it will keep
>simple manage and update the system-side certificates.

[...]
>Unfortunately this package isn't able to manage the icedove/iceweasel
>certificates, since those certificates are stored into a binary db
>(cert8.db).


Thanks for remembering me why I DID NOT like that solution :P
cert8.db is a database, which:
* is not easily reviewable by developers
* is hard to keep in sync with freepto-certificates

>It can be handled with the certutil utility, therefore I wrote a simple
>wrapper in order to handle it:
>https://github.com/vinc3nt/freepto-lb/blob/master/tools/certmanage.sh


the problem of this wrapper is that it is meant to be run by developers,
to create binary blob to be put under version control. I find this quite
hard.

I created a script similar to that one, but which runs as a chroot hook.
If everything works as expected, we can now stop providing a binary
cert8.db, and just let the script create it. You can find it on commit
cd41b414 branch certificates_iceweasel

This is still far from perfect:
* the script is not run when you upgrade freepto-certificates
* it is not even provided to the user
* even if we had a simple method to run it, it's not completely clear
how we should handle upgrades. Remove old version of certificates in
all firefox profiles we find in /home/paranoid?

>the same certificate should be added on icedove as well, this can be a
>good chance to review it for someone else.


ooops, I forgot icedove. I'll patch the script if I found that it works.

--
boyska