[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Adding CA certficates outside of ca-certificates (see ITP #666229)

Hi Thijs,

Op 17-04-12 09:26, Thijs Kinkhorst schreef:
> Hi Dennis,
> You're probably aware that there's already an APT-compatible repository
> that contains Debian packages for the current IGTF distribution?
> https://dist.eugridpma.info/distribution/igtf/current/
> How does this package relate to that? What goal do you want to reach by
> uploading to Debian proper?

Yes, I'm aware of the APT repository of the IGTF; the maintainer is a
close colleague. The current packages are not made with the Debian
Policy in mind. Although they're not outright awful, we've discussed how
we could bring the IGTF distribution more in-line with the Debian way of

For administrators it's always an extra hurdle to enable or install
extra repositories. Having the IGTF distribution in Debian proper would
remove this burden.

> In the IGTF community it's more or less
> expected that relying parties update their trust anchors not too long
> after new IGTF updates are released - if a relying party uses packages
> from Debian (old)stable they can easily be two or three years old and are
> not easily updated. I'm not sure if newly accredited CA's would be
> enthusiastic to wait that long, for example.

Worse than that, CAs that lose their accreditation should be removed.
Isn't it possible to have intermediate updates in stable in such cases?
In the same way security updates are done?

> I'm unfortunately not at the upcoming EUgridPMA meeting in Karlsruhe this
> May, but perhaps there's another opportunity where we can meet to discuss
> the ideas and specifics.

Yes, sure. My contact details are below.


D.H. van Dok :: Software Engineer :: www.nikhef.nl :: www.biggrid.nl
Phone +31 20 592 22 28 :: http://www.nikhef.nl/~dennisvd/

Reply to: