Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=474549 David Woodhouse <dwmw2@xxxxxxxxxxxxx> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dwmw2@xxxxxxxxxxxxx Depends on| |466626 --- Comment #12 from David Woodhouse <dwmw2@xxxxxxxxxxxxx> 2010-01-08 14:09:51 EDT --- Technical review... you include these files: %{pkidir}/tls/certs/%{name}-class1.crt %{pkidir}/tls/certs/%{class1hash}.0 But that is broken. Nothing will ever use the first, and I'm not even sure if they'll use the second. Besides, the hash function used is a fairly weak one and it's quite likely that there will be collisions. You can't just assume that you can use %{hash}.0 as the file name. We need a script to rebuild the /etc/pki/tls/cert.pem file from a configurable list of original certs, like Debian has (see bug #466626). And you should be using that in your %post script. You also need to add it to the system-wide NSS database. We have that working now, and hopefully we'll deploy it in firefox/thunderbird/evolution in time for Fedora 13. Then we can just add the new cert to the central database in /etc/pki/nssdb/ and it'll actually work for everything which uses NSS. Our solution for bug #466626 will need to do that too, presumably. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ Fedora-package-review mailing list Fedora-package-review@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-package-review