Description of problem: we could follow fedora and make use of ca-certificate instead of rootcerts. ca-certificates bundle rootcerts already. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Reproducible: Steps to Reproduce:
did you replay to thread which was on the dev ml asking why this package ?
Source RPM: ca-certificate => (none)
Keywords: (none) => TriagedSummary: use ca-certificate => use ca-certificate instead of rootcertsSource RPM: (none) => ca-certificate
AFAIK he didn't and this is definitely a topic that should be discussed at dev ml first..
CC: (none) => mageiaHardware: i586 => All
CC: (none) => luigiwalser, oe
FYI. The rootcerts package and the work of consolidating softwares using the /etc/pki/tls/certs/ca-bundle.crt was started by me back in 2005, after being inspired by the rootcerts updates in Microsoft. To my knowledge no other opensource based distro had implemented this at the time. Now at least debian, suse and redhat has cought up, but are using their own implementations. A discussion was initiated some years ago to standardize this and use only one implementation, no consensus was made. To piggyback on the redhat implementation would probably simplify this for Mageia, but what the impact would be is unknown to me. Maybe you will have to use all of their nss splits in order to benefit from this fully, or cherrypick the needed patches only. There's a catch with these root CA certs and that is that many of them requires license agreements for distributing them. The best way to really see this is to examine the rootcerts updates in Microsoft who most certainly have all licensing in order. In the nmap source you can find a way to extract the rootcerts from Microsoft, and one option I thought of was to do just that instead of using the mozilla store, but... Anyway, good luck with this switch.
(In reply to Sander Lepik from comment #2) > AFAIK he didn't and this is definitely a topic that should be discussed at > dev ml first.. i talked with oden and Luigi12 about this, but my reply forgot dev ML. I am not against started a thread, i did this bugreport as requested by Luigi12
Blocks: (none) => 11665
Has this discussion led somewhere?
Yes, in Bug 15027. We've been in freeze for most of this millennium though, so nothing can be done yet.
Is it possible to merge both bug reports, or can they be treated separately?
(In reply to Samuel VERSCHELDE from comment #7) > Is it possible to merge both bug reports, or can they be treated separately? They are actually separate issues, just related. They'll be dealt with separately (I'll fix Bug 15027 first as that will be relatively easy). This bug will be much more difficult.
Assignee: bugsquad => pkg-bugs
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=15027
CC: (none) => ngompa13
am I the only one who uses google-chrome-beta on Mageia 6 ? Since last week I can not update to the latest version because of: Sorry, the following package cannot be selected: - google-chrome-beta-63.0.3239.30-1.x86_64 (due to unsatisfied ca-certificates) Doesn't this new requirement make this bug much more urgent?
CC: (none) => dieter.rogiest
No, it's not urgent. You can force the installation for now.
I am also just getting this now with a Google Chrome update notice on my main Mageia box. The update shows the same error. I am also getting the same feedback from my approx. 40 or so "70-80 year-old Mageia users" that I help manage their systems as a volunteer. Some of them would rather use Google Chrome and are now confused as to what to do with this situation. It would be great if there were a seamless fix to this for any other Mageia just new to the Mageia scene. Marc
CC: (none) => marc
How about as a quick fix, add ca-certificates as a virtual provide on our rootcerts package...
CC: (none) => tmb
(In reply to Thomas Backlund from comment #12) > How about as a quick fix, add ca-certificates as a virtual provide on our > rootcerts package... That was done for cauldron in Oct. but it was not backported to either mga5 or mga6.
CC: (none) => cae
*** Bug 22144 has been marked as a duplicate of this bug. ***
CC: (none) => petlaw726
Closing this one if it is fixed in cauldron, and separating bug 22144 to push the update to MGA6.
CC: (none) => lists.jjorgeStatus: NEW => RESOLVEDResolution: (none) => FIXED
So, to be clear, if one installs rootcerts from cauldron into Mga6, this problem will not occur in Mga6? Is there something delaying the backporting of the cauldron rootcerts into mga6?
CC: (none) => unruh
(In reply to w unruh from comment #16) > So, to be clear, if one installs rootcerts from cauldron into Mga6, this > problem will not occur in Mga6? Yes, but this is not supported. > Is there something delaying the backporting of the cauldron rootcerts into > mga6? Just the time to do it. It will be followed in the bug against MGA6.
Just FYI, the bug marked a duplicate of this one isn't, just providing ca-certificates isn't the same thing as actually *being* the ca-certificates package from Fedora. I'm no longer so certain that's a good idea anyway though.
Resolution: FIXED => WONTFIX
For all practical purposes our rootcerts rpm and the Fedora ca-certificates rpm do the same job. Both are mostly derived from Mozilla's root CA list (the file "certdata.txt"). Using rootcerts I have had no complaints of bad or missing certs when using google-chrome-unstable rpms.
Google chrome refuses to install. That is certainly a bug which SHOULD be fixed. In cauldon, the fix is that the rootcerts package is altered to also state that it provides fulfilment of the installation of the rootcerts package. comment 118 claims that this might cause unstated problems. a) Has the fix in cauldron been retracted? b) What fix is proposed for Mga6 if not that in cauldron? c) While "just providing ca-certificates isn't the same thing as actually *being* the ca-certificates package from Fedora" is certainly true, what does it matter? Does it fix the inability to install chrome? Does it cause other problems? Refusing to fix MGA6 does not, to me, seem a reasonable option. And just stating that you can force the installation is useless since most users will not know what that means or how to do it, and do not know it is a possible fix (they will not read this confused bug report. And having Mageia state "We do not support the installation of Chrome" does not seem to do Mageia any favours.
unruh, you completely misunderstood my comment. This bug, Bug 11398, has absolutely nothing to do with Google Chrome. This bug was about doing away with our rootcerts package and importing Fedora's ca-certificates package to replace it. I was trying to clarify that, because most of the comments posted here from Comment 9 on, were about a completely different issue than what this bug was for, creating confusion. The issue with Google Chrome has been filed as, and is being addressed in, Bug 22144, and a fix has already been built for it. Nobody is refusing to fix anything here.
Sorry about the misunderstanding. Your "won't fix" therefor refers to replacing the rootcerts package with ca-certificates from Fedora/Redhat/Debian. Yes, I notice in 22144 that you have ported the virtual provide of ca-certificates into Mga6. Thanks.