handling certificates
Mark Wielaard
mark at klomp.org
Sun Feb 15 13:40:40 PST 2009
Hi Andy,
On Sun, 2009-02-15 at 18:38 +0100, Andreas Radke wrote:
> Hello, I'm the ArchLinux OpenJDK6 maintainer and we are thinking about
> how to add certificate support to our package.
>
> In the sources we found the removal of a Fedora patch. Checking the
> Fedora specs it seems they kept doing it that way. We also looked how
> Debian does it with their ca-certificates-java package.
>
> What the recommended way you suggest the distributions?
Do it like Debian, and now Fedora also, does. We used to provide a key
store that would directly read the trusted certificates that the distro
had installed. But that proved not to be compatible with several
programs that wanted to either write to the trusted key store themselves
or tried to open it directly as JKS file based on the path they expected
it to be. Arguably both usages are bugs in those programs, but it seemed
better at that time to go with the traditional approach.
So what Fedora and Debian now both do is have a separate sub-package
that provides a traditional cacerts keystore file generated from the
trusted root certificates that the distribution ships by default (and
that is regenerated when the trusted root certificates are updated).
Since at least the way Debian and Fedora store their default root
certificates is somewhat different we don't currently ship a script that
works in IcedTea itself. But if there is interest from other distros we
could try to merge them.
Cheers,
Mark
More information about the distro-pkg-dev
mailing list