Re: [Freepto] v1.0beta2 released

Delete this message

Reply to this message
Author: boyska
To: freepto
Subject: Re: [Freepto] v1.0beta2 released
On Mon, Oct 13, 2014 at 09:20:11PM +0000, vinc3nt wrote:
>>> * Create a Freepto CA and include It
>>> assigned to vinc3nt
>> It seems that there has been some love on this (the freepto-certificates
>> package has been created).
>> vinc3nt, can you clarify if it is going to be a RFT or if there is still
>> something to do?
>the freepto-certificates package has been created, and it will keep
>simple manage and update the system-side certificates.

>Unfortunately this package isn't able to manage the icedove/iceweasel
>certificates, since those certificates are stored into a binary db

Thanks for remembering me why I DID NOT like that solution :P
cert8.db is a database, which:
* is not easily reviewable by developers
* is hard to keep in sync with freepto-certificates

>It can be handled with the certutil utility, therefore I wrote a simple
>wrapper in order to handle it:

the problem of this wrapper is that it is meant to be run by developers,
to create binary blob to be put under version control. I find this quite

I created a script similar to that one, but which runs as a chroot hook.
If everything works as expected, we can now stop providing a binary
cert8.db, and just let the script create it. You can find it on commit
cd41b414 branch certificates_iceweasel

This is still far from perfect:
* the script is not run when you upgrade freepto-certificates
* it is not even provided to the user
* even if we had a simple method to run it, it's not completely clear
how we should handle upgrades. Remove old version of certificates in
all firefox profiles we find in /home/paranoid?

>the same certificate should be added on icedove as well, this can be a
>good chance to review it for someone else.

ooops, I forgot icedove. I'll patch the script if I found that it works.