flatcar-scripts

mirror of https://github.com/flatcar/scripts.git synced 2025-08-16 17:36:59 +02:00

History

Michael Marineau 1e25d77df7 add(app-misc/ca-certificates): Add new CA cert package. This package is based exclusively on the Mozilla certificate store distributed in their NSS library and adopts NSS's version accordingly. It replaces the previous Gentoo package which came directly from Debian. The Debian package package had a couple issues we didn't like: - Trusts the http://cacert.org root CA which isn't the worst thing in the world to do but seems like a really bad default policy to ship. - update-ca-certificates had a confusing configuration/hook scheme which seemed almost useful but completely obnoxious and useless to CoreOS at the same time. systemd-tmpfiles plus a simpler script does a better job for us. The python script certdata2pem.py came from Debian's source package ca-certificates_20130119 and modified slightly. It is only used at build-time to convert the file format used by NSS to PEM files. The old packages used dates as the version, this one uses the NSS library the certificate store came from as the version. This may cause an issue if packages from Gentoo depend on >=ca-certificates-20080809 or similar. Currently the only packages in Gentoo that do so are sci-misc/boinc and www-client/epiphany, neither of which will ever be needed in CoreOS so we should be OK.	2014-02-20 09:09:37 -08:00
..
src/third_party/coreos-overlay	add(app-misc/ca-certificates): Add new CA cert package.	2014-02-20 09:09:37 -08:00

Michael Marineau 1e25d77df7 add(app-misc/ca-certificates): Add new CA cert package.

This package is based exclusively on the Mozilla certificate store
distributed in their NSS library and adopts NSS's version accordingly.
It replaces the previous Gentoo package which came directly from Debian.

The Debian package package had a couple issues we didn't like:

 - Trusts the http://cacert.org root CA which isn't the worst thing in
   the world to do but seems like a really bad default policy to ship.
 - update-ca-certificates had a confusing configuration/hook scheme
   which seemed almost useful but completely obnoxious and useless to
   CoreOS at the same time. systemd-tmpfiles plus a simpler script does
   a better job for us.

The python script certdata2pem.py came from Debian's source package
ca-certificates_20130119 and modified slightly. It is only used at
build-time to convert the file format used by NSS to PEM files.

The old packages used dates as the version, this one uses the NSS
library the certificate store came from as the version. This may cause
an issue if packages from Gentoo depend on >=ca-certificates-20080809 or
similar. Currently the only packages in Gentoo that do so are
sci-misc/boinc and www-client/epiphany, neither of which will ever be
needed in CoreOS so we should be OK.

2014-02-20 09:09:37 -08:00

src/third_party/coreos-overlay

add(app-misc/ca-certificates): Add new CA cert package.

2014-02-20 09:09:37 -08:00