Summary: | app-misc/ca-certificates: allow user customization /etc/ca-certificates.conf | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Thomas Deutschmann (RETIRED) <whissi> |
Component: | Current packages | Assignee: | Gentoo's Team for Core System packages <base-system> |
Status: | UNCONFIRMED --- | ||
Severity: | trivial | CC: | djmatic8, flow, jasmin+gentoo, Martin.vGagern, zima |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Thomas Deutschmann (RETIRED)
2014-03-17 14:47:25 UTC
that header is generated on the fly by Debian in their postinst. not exactly easy to extract ... hmm, actually in the current system, the header is correct. you cannot edit that file because we will simply blow it away on the next emerge (by design). the file is explicitly masked from config protection. you could add a hook in /etc/ca-certificates/update.d, but that's a hack at best. the only option atm is to actually rm the relevant file. I've just bumped into this problem, and with some help found out that certs placed in /usr/local/share/ca-certificates/ are added by udpate-ca-certificates into /etc/ssl/certs/ca-certificates.crt even if they're not listed in /etc/ca-certificates.conf. That allows for addition of trusted certs. I'm not sure how to proceed if someone wanted to disable a certificate provided upstream. How about writing an eselect module ? I had one in the past though I lost it somewhere in bitrot. The man page for update-ca-certificates(8) reads as though the canonical way to configure this would be the /etc/ca-certificates.conf file. If that's not the case on Gentoo, consider updating that man page, and also the header comment to suggest alternatives like the use of /usr/local/share/ca-certificates/. Of course, having the file actually configurable would be preferable. Perhaps you could have a separate file which gets appended to /etc/ca-certificates.conf upon install, and which could contain additional names as well as !-prefixed removals? Then the header should suggest editing this other file instead, together with instructions on how to rebuild the combined list. |