On Sat, Jul 12, 2008 at 02:02:31PM +0200, martin f krafft wrote: > tags 309564 patch > thanks > > also sprach martin f krafft <[EMAIL PROTECTED]> [2008.07.11.1206 +0200]: > > Mike Hommey pointed me to > > mozilla/security/nss/lib/ckfw/builtins/README in the nss source for > > the fastest way to get CAcert's cert in for lenny > > I followed those instructions, added the two CAcert certificates and > the SPI Inc. 2008 certificate, bumped the library version to 1.71, > and produced the attached patch. > > I have tried the new package and can verify that it works. I have > also verified the fingerprints with another person looking over my > shoulder. > > The only thing I don't like now is that the CAcert certs show up > under "Root CA", which is the CN they use. I don't think there's > anything we can do about it though. > > Looking at the list of certs Mozilla ships by default, I'd say this > patch should go upstream! If anyone objects because of trust issues, > I'd like to see trust paths for all the CAs that are being provided, > many of which don't even provide URLs or policies. But this is > another issue.
Thanks Martin. I only have one concern with your patch (well, two, actually): I'm not sure how the library version is being used, but surely, we should take care there won't be a problem with us having a somehow conflicting version number with upstream (next time they add a CA, they are likely to use this version ; are we going to keep increasing this version compared to upstream ?) My second concern is that your patch looks like a NUMdiff, but is not using dpatch like the rest of the package. But don't care too much about that, that's just nitpicking ;) Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
