| 1 |
On Monday 31 December 2012 19:44:32 Rich Freeman wrote: |
| 2 |
> The certificates that Gentoo distributes have at least been vouched |
| 3 |
> for by somebody who is a part of our community, which is more than can |
| 4 |
> be said for most of the upstream certificates. |
| 5 |
|
| 6 |
mmm, Gentoo ships ca-certificates which comes directly from Debian. when |
| 7 |
people request modification (add/remove/whatever), we bounce them to Debian. |
| 8 |
we specifically don't want to deal with this mess and instead "unload" it onto |
| 9 |
Debian :). |
| 10 |
|
| 11 |
we don't modify openssl in any way wrt cert management. it uses the certs the |
| 12 |
user themselves have installed, or other packages have installed into |
| 13 |
/etc/ssl/ (which atm is just ca-certificates afaik). |
| 14 |
|
| 15 |
as for nss, i can't vouch for it directly since i haven't worked on it. a |
| 16 |
cursory glance looks like we add cacert.org and spi (software in the public |
| 17 |
interest) root certs. i don't know if it's possible, but it seems like nss |
| 18 |
should just look in the common /etc/ssl store. either way, i don't see a |
| 19 |
problem here. |
| 20 |
|
| 21 |
i don't know much about gnutls, but it doesn't seem like we do anything there |
| 22 |
other than package it up. |
| 23 |
-mike |
Archives