On 12.07.2013 20:28, Toshio Kuratomi wrote: > On Wed, Jul 10, 2013 at 01:22:37PM +0200, Jaroslav Reznik wrote: >> >> Because not all crypto implementations read their trusted information directly >> from the dynamic database, the tool will take care of extracting things as >> appropriate after making a change. This will enable administrators to run a >> single command to add an anchor (and perform other tasks). >> > So it sounds like this is a modify and sync strategy? Are there other tools > in the distribution that may modify the primary or the sync'd certificates > that need to be changed so that they don't step on what p11-kit is doing? If I'm understanding you correctly, then we already have such a strategy. Admins modify files in /etc/pki/ca-trust and run update-ca-trust (is that the sync you're talking about) which makes sure all the legacy loaders of the certificates bundles get updated. This proposal simply adds a tool so that admins don't have to diddle files directly (although that is still supported). Cheers, Stef -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel