DJ Lucas wrote: > > On 03/06/14 11:15, Bruce Dubbs wrote: >> Henrik /KaarPoSoft wrote: >>> Dear all, >>> >>> On >>> http://www.linuxfromscratch.org/blfs/view/svn/postlfs/cacerts.html >>> you indicate to download CA Certificates from: >>> http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1 >>> >>> However, on the "mxr frontpage" >>> http://mxr.mozilla.org/ >>> the branch "Mozilla CVS" >>> http://mxr.mozilla.org/mozilla/ >>> is described as follows: >>> >>> QUOTE >>> This contains the entire current CVS repository. >>> For Gecko, XULRunner, and Firefox, CVS trunk is no longer the trunk, >>> and is instead used for Gecko 1.9 / Firefox 3 and the 1.9.0.* / 3.0.* >>> security releases. >>> UNQUOTE >>> >>> So I would like to suggest that alternative sources may be described a well. >>> See e.g. >>> http://kaarpux.kaarposoft.dk/packages/c/certdata.html#certificates_from_mozilla >>> >>> (You are more that welcome to link to this page, if you find it >>> appropriate). >>> >>> We are not the only ones struggling to figure out which branch to use. >>> See e.g. the thread started here: >>> http://curl.haxx.se/mail/archive-2013-12/0033.html >>> >>> The integrity of the certdata.txt file is essential, >>> so I would also like to suggest that >>> 1) you download from https://hg.mozilla.org/... >>> 2) you include a sha256 checksum for the file. >> It would seem that >> https://hg.mozilla.org/releases/mozilla-release/raw-file/058ed8ee9adf/security/nss/lib/ckfw/builtins/certdata.txt >> is correct right now, but I don't see a way to specify 'current' or >> 'latest' for the raw file that we need. >> >> We could write a script to download the html and then parse the raw file >> URL, but that would require downloading a 5M file just to get the url of >> a 1.5M files. :( >> >> I don't see how we can give a checksum if the file is changing. We need >> to let users decide which version they need. >> >> I'd be interested in other ideas. >> >> -- Bruce >> >> > Couple of possible suggestions. First, and easiest, leave it alone. I > know that the file in that repo was updated at least fairly recently.
Really? When I download that file I get: CVS_ID "@(#) $RCSfile: certdata.txt,v $ $Revision: 1.87 $ $Date: 2012/12/29 16:32:45 $" > I'd imagine it will continue unless they are killing off maintenance on > 1.9. Second, look at the url in the comments of the perl script which > was taken from Fedora. It has a link to their package, just follow their > lead. That's the same file. A third possible solution is to add a comment to the each of the 4 > Mozilla packages to update a copy of the cacerts.txt on Anduin from > whichever is the latest package at the time of update. Personally, the > third is my favorite, but it adds editor work. Well there is http://anduin.linuxfromscratch.org/sources/other/certdata.txt that updates daily. I was thinking of adding a CVS line to it so the scripts don't have to change. The files in the packages are snapshots of those I think. The issue I have is that they need to have a way to identify the version number or date the file was updated. -- Bruce -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page