Changes in postlfs/security/make-ca.xml [24aff8a9:c478431]
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/make-ca.xml
r24aff8a9 rc478431 7 7 <!ENTITY certhost "https://hg.mozilla.org/"> 8 8 <!ENTITY certpath "/lib/ckfw/builtins/certdata.txt"> 9 <!ENTITY make-ca-buildsize "6. 6MB (with all runtime deps)">9 <!ENTITY make-ca-buildsize "6.9 MB (with all runtime deps)"> 10 10 <!ENTITY make-ca-time "0.1 SBU (with all runtime deps)"> 11 11 12 12 <!ENTITY make-ca-download "https://github.com/lfs-book/make-ca/releases/download/v&make-ca-version;/make-ca-&make-ca-version;.tar.xz"> 13 <!ENTITY make-ca-size "3 0KB">14 <!ENTITY make-ca-md5sum "6 8c8625c9456815ed17e4f2219c79372">13 <!ENTITY make-ca-size "36 KB"> 14 <!ENTITY make-ca-md5sum "67e0b911e73a859fc326171c5153d455"> 15 15 ]> 16 16 … … 18 18 <?dbhtml filename="make-ca.html"?> 19 19 20 <sect1info>21 <date>$Date$</date>22 </sect1info>23 20 24 21 <title>make-ca-&make-ca-version;</title> … … 52 49 </para> 53 50 54 &lfs110a_checked;51 &lfs112_checked; 55 52 56 53 <bridgehead renderas="sect3">Package Information</bridgehead> … … 138 135 <para> 139 136 If running the script a second time with the same version of 140 <filename>certdata.txt</filename>, for instance, to add additional 141 stores as the requisite software is installed, add the 142 <parameter>-r</parameter> switch to the command line. If packaging, 137 <filename>certdata.txt</filename>, for instance, to update the 138 stores when <application>make-ca</application> is upgraded, or to 139 add additional stores as the requisite software is installed, 140 replace the <parameter>-g</parameter> switch with the 141 <parameter>-r</parameter> switch in the command line. If packaging, 143 142 run <command>make-ca --help</command> to see all available command 144 143 line options. … … 185 184 version included in <xref linkend="nss"/>. Additional upstream downloads 186 185 are available at the links included in 187 <filename>/etc/make-ca.conf.dist</filename>. Simply copy the file to 186 <filename>/etc/make-ca/make-ca.conf.dist</filename>. Simply copy the 187 file to 188 188 <filename>/etc/make-ca.conf</filename> and edit as appropriate. 189 189 </para> … … 276 276 </sect2> 277 277 278 <sect2 role="configuration" id="make-ca-python"> 279 <title>Using make-ca with Python3</title> 280 281 <para> 282 When <application>Python3</application> was installed in LFS it included 283 the <application>pip3</application> module with vendored certificates 284 from the <application>Certifi</application> module. That was necessary, 285 but it means that whenever <command>pip3</command> is used it can reference 286 those certificates, primarily when creating a virtual environment or when 287 installing a module with all its wheel dependencies in one go. 288 </para> 289 290 <para> 291 It is generally considered that the System Administrator should be in 292 charge of which certificates are available. Now that <xref 293 linkend="make-ca"/> and <xref linkend="p11-kit"/> have been installed and 294 <application>make-ca</application> has been configured, it is possible to 295 make <command>pip3</command> use the system certificates. 296 </para> 297 298 <para> 299 The vendored certificates installed in LFS are a snapshot from when the 300 pulled-in version of <application>Certifi</application> was created. If 301 you regularly update the system certificates, the vendored version will 302 become out of date. 303 </para> 304 305 <para> 306 To use the system certificates in <application>Python3</application> you 307 should set <envar>_PIP_STANDALONE_CERT</envar> to point to them, e.g for 308 the <application>bash</application> shell: 309 </para> 310 311 <screen><userinput>export _PIP_STANDALONE_CERT=/etc/pki/tls/certs/ca-bundle.crt</userinput></screen> 312 313 <warning> 314 <para> 315 If you have created virtual environments, for example when testing modules, 316 and those include the <application>Requests</application> and 317 <application>Certifi</application> modules in <filename 318 class="directory">~/.local/lib/python3.11/</filename> then those local 319 modules will be used instead of the system certificates unless you 320 remove the local modules. 321 </para> 322 </warning> 323 324 <para> 325 To use the system certificates in <application>Python3</application> with 326 the BLFS profiles add the following variable to your system or personal 327 profiles: 328 </para> 329 330 <screen role="root"><userinput>mkdir -pv /etc/profile.d && 331 cat > /etc/profile.d/pythoncerts.sh << "EOF" 332 <literal># Begin /etc/profile.d/pythoncerts.sh 333 334 export _PIP_STANDALONE_CERT=/etc/pki/tls/certs/ca-bundle.crt 335 336 # End /etc/profile.d/pythoncerts.sh</literal> 337 EOF</userinput></screen> 338 339 </sect2> 340 278 341 <sect2 role="content"> 279 342 <title>Contents</title>
Note:
See TracChangeset
for help on using the changeset viewer.