Bug#944450: should use policies file for firefox-esr and thunderbird PKI setup
Hi Wolfgang,
Am Sonntag, 10. November 2019 schrieb Wolfgang Schweer:
> Package: debian-edu-config
> Version: 2.10.65+deb10u2
> Severity: important
>
> The method used for rootCA certificate integration for firefox-esr (>=
> 68.2.0esr) is deprecated. Instead of touching each user's home
> directory, nowadays the use of a policies file is the recommended way to
> go. This has the benefit that it will be valid for thunderbird (>=
> 68.2.1, atm in unstable) as well.
>
> The policy file should be shipped as
> share/firefox-esr/distribution/policies.json and should have this content:
>
> {
> "policies": {
> "Certificates": {
> "ImportEnterpriseRoots": true,
> "Install": [
> "/etc/ssl/certs/Debian-Edu_rootCA.crt"
> ]
> },
> "NewTabPage": false,
> "OverrideFirstRunPage": ""
> }
> }
>
> This makes sure that the Debian-Edu_rootCA.crt file gets installed as
> trusted certificate for firefox-esr and thunderbird. It also forces the
> Debian Edu startpage to be shown prominently like before (instead of the
> Firefox one) at first launch; the Firefox privacy page is available via
> a second tab (i.e. the both tabs are switched).
>
> In addition, no longer needed files should be removed
> (share/debian-edu-config/{installs.ini,profiles.ini,profiles.ini.ff})
> and these related tools should be adjusted
> (share/debian-edu-config/tools/{gosa-cate,create-user-nssdb,update-cert-dbs},
> ldap-tools/ldap-debian-edu-install).
>
> Wolfgang
This is a nice finding, indeed. Awesome. Sounds like the proper way to go... (and solve several issues with one shot).
Greets,
Mike
--
Gesendet von meinem Fairphone2 (powered by Sailfish OS).
Reply to: