diff options
author | Michael Shuler <michael@pbandjelly.org> | 2013-08-30 18:16:11 -0500 |
---|---|---|
committer | Michael Shuler <michael@pbandjelly.org> | 2013-08-30 18:16:11 -0500 |
commit | 1e275d7133e37819a6baacd6671af0ca637fa28a (patch) | |
tree | 1bcbaa30f961e708a83417fba70b43964c0ec0cc | |
parent | f3cdf53c86d9b0e3c5f7bf147cd85e49d327c470 (diff) | |
download | ca-certificates-1e275d7133e37819a6baacd6671af0ca637fa28a.tar.gz |
Update README.Debian for the following:
- Update local certificate handling
- Update CA inclusion policy for ca-certificates
- Clarify that not all software that uses SSL uses ca-certificates
- ASCIIify quotes
-rw-r--r-- | debian/README.Debian | 65 | ||||
-rw-r--r-- | debian/changelog | 8 |
2 files changed, 40 insertions, 33 deletions
diff --git a/debian/README.Debian b/debian/README.Debian index a27197d..b15ed36 100644 --- a/debian/README.Debian +++ b/debian/README.Debian @@ -1,4 +1,4 @@ -The Debian Package “ca-certificates” +The Debian Package ca-certificates ---------------------------------- This package includes PEM files of CA certificates to allow SSL-based @@ -11,48 +11,47 @@ Full responsibility to assess them belongs to the local system administrator. The CA certificates contained in this package are installed into -“/usr/share/ca-certificates”. +/usr/share/ca-certificates/. -The configuration file “/etc/ca-certificates.conf” is seeded with -trust information through Debconf. Just call “dpkg-reconfigure -ca-certificates” to adjust the settings. +The configuration file /etc/ca-certificates.conf is seeded with +trust information through Debconf. Just call 'dpkg-reconfigure +ca-certificates' to adjust the settings. -“update-ca-certificates” will then update “/etc/ssl/certs” which may be -used by the web browsers in Debian. It will also generate the hash +'update-ca-certificates' will then update /etc/ssl/certs/ which may be +used by various software in Debian. It will also generate the hash symlinks and generate a single-file version in -“/etc/ssl/certs/ca-certificates.crt”. +/etc/ssl/certs/ca-certificates.crt. Some web browsers, email clients, +and other software that use SSL maintain their own CA trust database and +may not use the trusted CA certificates in this package. Those packages +that *do* use ca-certificates should depend on this package. Users can +see reverse dependencies with 'apt-cache showpkg ca-certificates'. + +How to install local CA certificates +------------------------------------------------------------------ If you want to install local certificate authorities to be implicitly trusted, please put the certificate files as single files ending with -“.crt“ into “/usr/local/share/ca-certificates” and re-run -“update-ca-certificates”. If you want to prepare a local package -of your certificates, you should depend on “ca-certificates“, install -the PEM files into “/usr/local/share/ca-certificates” as above and call -“update-ca-certificates” in the package's “postinst“. +".crt" into /usr/local/share/ca-certificates/ and re-run +'update-ca-certificates'. If you remove local certificates from +/usr/local/share/ca-certificates/, you can remove symlinks by running +'update-ca-certificates --fresh'. If you want to prepare a local +package of your certificates, you should depend on ca-certificates, +install the PEM files into /usr/local/share/ca-certificates/ as above +and call 'update-ca-certificates' in the package's postinst, and should +call 'update-ca-certificates --fresh' in the package's postrm. + +An example source package for building a local CA certificate package, +using ca-certificates (>= 20130119) (since it uses triggers) can be +found in /usr/share/doc/ca-certificates/examples/ca-certificates-local/. +The README file in the above directory has step-by-step instructions for +building a local CA certificate package. How certificates will be accepted into the ca-certificates package ------------------------------------------------------------------ -**** Notice! **** - Option 1, listed below, is deprecated. Please, see Debian bug report - #647848 for discussion on establishing a new Debian CA Certificate - Policy for CA inclusion, maintenance, and enforcement in Debian - ca-certificates. Option 2, below, is the only current method. - - http://bugs.debian.org/647848 -***************** - - Option 1: - - File a *GPG-signed* bug report against ca-certificates with - *severity normal*. The bug report must include an attached - copy of the PEM certificates of the CA, a link to and a - description of the CA, the licence of the CA certificate - and signed fingerprint and/or hash values of the certificate. - - Get two or three recommendations from other people to the - bug report, GPG-signed (preferably from the strong set). - - CA certificates will not be accepted if requested by only - one person. - - Option 2: - Get it included into Mozilla's trust store. - File a bug against ca-certificates stating this fact. +With the exception of SPI (http://www.spi-inc.org/) and CAcert +(http://www.cacert.org/), only those CAs included in the Mozilla trust +store will be added to the ca-certificates package in Debian. diff --git a/debian/changelog b/debian/changelog index cf92cf7..23fec1d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,14 @@ ca-certificates (20130830) UNRELEASED; urgency=low * Add ca-certificates-local source package example to documentation + * Update local certificate handling in README.Debian. + Closes: #718173 + * Update CA inclusion policy for ca-certificates in README.Debian. With + the exception of SPI and CAcert, only those CAs added to Mozilla's + trust store will be added to ca-certificates in Debian. + Closes: #647848, #609942 + * Clarify that not all software that uses SSL uses ca-certificates in + README.Debian. Closes: #664769 -- Michael Shuler <michael@pbandjelly.org> Fri, 30 Aug 2013 09:34:43 -0500 |