Plans for IcedTea6 1.11

DJ Lucas dj at
Mon Mar 7 14:16:34 PST 2011

Pavel Tisnovsky <ptisnovs at> wrote:

>DJ Lucas wrote:
>> On 03/01/2011 05:22 PM, Dr Andrew John Hughes wrote:
>>> Some features I would like to see in 1.11 and issues that should be
>>> fixed.
>>> I'd expect 1.11 to appear in July/August; we've had an over-long
>>> development
>>> period for 1.10 (Sep-Mar).
>>> * 'make install'
>>>    It should be possible for an end user to install the resulting
>>> image,
>>>    rather than having this solely devolved to distros (distros are
>>> course still welcome
>>>    to do their own thing and not use it).  This includes:
>>>      - cacerts generation:
>> Regarding cacerts generation, I've attached the latest diff to the
>> but I did not catch Pavel's logic change (mentioned in the previous
>> thread). I was unable to see the failure (probably something just
>> blindingly obvious), but it'd have to be accounted for. I also added
>> --with-cacerts switch which should cover distribution maintainers who
>> have a pregenerated cacerts file so that distros can easily continue
>> "do their own thing", but nothing in the patch modifies the default
>> configure behavior. Also changed to --enable-generate-cacerts to make
>> a bit more clear as to the purpose. As far as the failing tests (also
>> mentioned previously), I've found that either expired or invalid
>> certificates do cause the tests to fail (used an old set of
>> mozilla certificates for the input file). Probably need to guard
>> that in some way with the script (or whichever
>> preferred script is used).
>Hi Lucas,
>I would be good to filter out old and/or invalid certificates, but how
>to solve that? What about to include all known-to-be-good certificates
>directly into IcedTea?

The script I used already uses openssl, so check expiration prior to running through keytool. As far as including certs in IcedTea, that might be overstepping bounds a bit, but distros should already have their own certificate policy and cacerts file anyway, so not a bad idea to include a default set. Defining policy is the kicker, who decides what authorities to trust? For LFS, I divert to and state that explictly in the installation instructions.

-- DJ Lucas 

Sent from my Android phone with K-9 Mail. Please excuse my brevity.

This message has been scanned for viruses and
dangerous content, and is believed to be clean.

More information about the distro-pkg-dev mailing list