Henrik /KaarPoSoft wrote: > Dear all, > > On > http://www.linuxfromscratch.org/blfs/view/svn/postlfs/cacerts.html > you indicate to download CA Certificates from: > http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1 > > However, on the "mxr frontpage" > http://mxr.mozilla.org/ > the branch "Mozilla CVS" > http://mxr.mozilla.org/mozilla/ > is described as follows: > > QUOTE > This contains the entire current CVS repository. > For Gecko, XULRunner, and Firefox, CVS trunk is no longer the trunk, > and is instead used for Gecko 1.9 / Firefox 3 and the 1.9.0.* / 3.0.* > security releases. > UNQUOTE > > So I would like to suggest that alternative sources may be described a well. > See e.g. > http://kaarpux.kaarposoft.dk/packages/c/certdata.html#certificates_from_mozilla > > (You are more that welcome to link to this page, if you find it > appropriate). > > We are not the only ones struggling to figure out which branch to use. > See e.g. the thread started here: > http://curl.haxx.se/mail/archive-2013-12/0033.html > > The integrity of the certdata.txt file is essential, > so I would also like to suggest that > 1) you download from https://hg.mozilla.org/... > 2) you include a sha256 checksum for the file.
It would seem that https://hg.mozilla.org/releases/mozilla-release/raw-file/058ed8ee9adf/security/nss/lib/ckfw/builtins/certdata.txt is correct right now, but I don't see a way to specify 'current' or 'latest' for the raw file that we need. We could write a script to download the html and then parse the raw file URL, but that would require downloading a 5M file just to get the url of a 1.5M files. :( I don't see how we can give a checksum if the file is changing. We need to let users decide which version they need. I'd be interested in other ideas. -- Bruce -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page