1 |
On Monday 31 December 2012 19:44:32 Rich Freeman wrote: |
2 |
> The certificates that Gentoo distributes have at least been vouched |
3 |
> for by somebody who is a part of our community, which is more than can |
4 |
> be said for most of the upstream certificates. |
5 |
|
6 |
mmm, Gentoo ships ca-certificates which comes directly from Debian. when |
7 |
people request modification (add/remove/whatever), we bounce them to Debian. |
8 |
we specifically don't want to deal with this mess and instead "unload" it onto |
9 |
Debian :). |
10 |
|
11 |
we don't modify openssl in any way wrt cert management. it uses the certs the |
12 |
user themselves have installed, or other packages have installed into |
13 |
/etc/ssl/ (which atm is just ca-certificates afaik). |
14 |
|
15 |
as for nss, i can't vouch for it directly since i haven't worked on it. a |
16 |
cursory glance looks like we add cacert.org and spi (software in the public |
17 |
interest) root certs. i don't know if it's possible, but it seems like nss |
18 |
should just look in the common /etc/ssl store. either way, i don't see a |
19 |
problem here. |
20 |
|
21 |
i don't know much about gnutls, but it doesn't seem like we do anything there |
22 |
other than package it up. |
23 |
-mike |