From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andreas Enge <andreas@enge.fr>
Subject: Re: [PATCHES] profiles: Produce a single-file CA certificate bundle
Date: Tue, 3 Mar 2015 13:23:33 +0100
Message-ID: <20150303122333.GB7057@debian.math.u-bordeaux1.fr>
References: <87r3u7di49.fsf@netris.org>
	<20150204123652.GA21908@debian.eduroam.u-bordeaux.fr>
	<87wq3jah2w.fsf@netris.org> <20150215091632.GA9692@debian>
	<87sie79km0.fsf@netris.org> <87mw441fdp.fsf@gnu.org>
	<87sidvhx0t.fsf@netris.org> <87zj7v2gmf.fsf_-_@gnu.org>
	<87fv9medxv.fsf_-_@netris.org> <87bnkaeb8y.fsf@netris.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:41463)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <andreas@enge.fr>) id 1YSlrm-0003md-9r
	for guix-devel@gnu.org; Tue, 03 Mar 2015 07:24:03 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <andreas@enge.fr>) id 1YSlrj-0005RO-38
	for guix-devel@gnu.org; Tue, 03 Mar 2015 07:24:02 -0500
Content-Disposition: inline
In-Reply-To: <87bnkaeb8y.fsf@netris.org>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: Mark H Weaver <mhw@netris.org>
Cc: guix-devel@gnu.org

On Tue, Mar 03, 2015 at 03:27:57AM -0500, Mark H Weaver wrote:
> I think perhaps that we should be more selective in the certs we add to
> ca-certificates.crt.  Debian has a configuration file
> /etc/ca-certificates.conf, and only adds certificates that are
> explicitly listed there to ca-certificates.crt.

Actually I wondered about the question during the recent Comodo scandal:
Should we remove the Comodo CA certificates from our store?

If we decide to remove certificates, this should not only be done in the
aggregation phase into one file. They should be removed at the end of the
nss-certs build, so that also the single certificate files will disappear.
What is left over can be collected into one file as is done now.

Thanks for looking into this!

Andreas