also sprach Joey Schulze <joey@infodrom.org> [2006.11.04.1315 +0100]:
> Hmm, why don't you use a CAfile which is not provided by the
> package but one that is created by you on your own and which only
> incorporates the certificates you want to accept? That way you
> won't interfer with packaging.
Yes, this is the only solution it seems; but since I am talking
about at least 30 machines, and many tools, like postfix, OpenVPN,
Apache2 etc. using these certificates, changing it is not going to
be an easy endeavour and will require much testing.
> Does enabling with debconf only those certificates you want to
> accept not help as well?
As said, CAcert class 3 is not provided.
> openssl x509 -hash -noout -in cacert-class3.pem will calculate it.
> Don't forget to add ".0" to the calculated name.
c_rehash will do the same. You're right, I could also just remove
ca-certificates, or limit what it provides, and then all's well.
Thanks.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <madduck@debian.org>
: :' : proud Debian developer, author, administrator, and user
`. `'` http://people.debian.org/~madduck - http://debiansystem.info
`- Debian - when you have better things to do than fixing systems
"what's your conceptual continuity? --
well, it should be easy to see:
the crux of the bisquit is the apopstrophe!"
-- frank zappa
Attachment:
signature.asc
Description: Digital signature (GPG/PGP)