On Fri, 2016-11-11 at 00:54 -0600, DJ Lucas wrote: > On 11/10/2016 01:24 AM, DJ Lucas wrote: > > As far as I can tell, the only remaining thing brought up in the > > previous thread was how to obtain and verify the file. I do like using > > the release branch as the default source (with version info as provided > > by Bruce's script on Anduin). Bruce, what do you think about signing > > that file for verification? Or even automatically updating the date and > > md5sum of the file in the book -- changelog would need to be skipped I > > think, but with that little concession, it should be reasonably easy to > > do from cron. > >
Just curious, what was the reason for downloading the certdata.txt file to Anduin and reprocessing it in the first place? Was it just to convert it from html to txt and adding a date as per the note? This link provides the raw file: https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt as per https://wiki.mozilla.org/CA:Root_Store_Trust_Mods My preference would still be grabbing it from the nss tarball. The file certdata.txt from the current version (3.27.1) of nss, the md5sum matches the md5sum of the above link. I also read this thread, https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/FYIBEF_AVMI The paragraph 'I have seen plenty of bungled attempts...' worries me a bit. Having limited knowlege of how certificates work myself, I cannot give any other advise. Wayne. > Still need to address the above, but a completed script is located here: > > http://www.linuxfromscratch.org/~dj/make-ca.sh > > Added conditional logic for NSS and Java. Uses (for now) certdata.txt > file downloaded from any source, still required in current directory, > but accounts for version information in the file on Anduin. Script > reports for each file and store it is imported into (and trust bits for > certificates imported into NSS DB). Only hard dependencies are bash, > gawk, grep, openssl, and sed, with optional dependencies for NSS and > OpenJDK. > > Proposed book changes will have to wait unti -- http://lists.linuxfromscratch.org/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
