curl-library
some thoughts about mk-ca-bundle.pl
Date: Tue, 11 Nov 2014 23:33:27 +0100
Hi,
in march 2011 someone contributed code to mk-ca-bundle.pl which did make
use of the mirror function, and AFAIK which in turn checked via a HEAD
request if there was a new version of certdata.txt, and stopped the
script when certdata.txt had the same version as a local stored copy ...
now since we use the new place with certdata.txt downloaded from HG this
seems no longer possible, and another one contributed code to do a
similar job ...
however to me this seems to be total overkill; currently we do:
1) always download certdata.txt (since we dont know about its age due to
HEAD no longer working)
2) create a SHA1 checksum of the downloaded certdata.txt
3) parse the ca-bundle.crt for the stored SHA1 checksum
4) compare those 2 SHA1 checksums and then decide if we should create a
new ca-bundle.crt or not
now usually the download of the certdata.txt file is most of the
script's execution time, while creating a new ca-bundle.crt takes only a
second or two on nowaday's machines ...
at a minimum I would like to change the SHA1 checksum to MD5 since we
dont use it here for security but only as checksum over certdata.txt;
this would make the script more compatible with older Perl versions
where Digest::SHA might not be part of the Perl core ...
more I would like to remove this checking completely, and just allways
create a fresh ca-bundle.crt and backup the old, as we did years ago;
this checking makes no real sense to me since we have anyway already
downloaded a fresh certdata.txt, and would probably only save a second
execution time for creating a fresh ca-bundle.crt while we did already
use 5 or more secs to download certdata.txt + time to create the
checksum ...
comments please!
Gün.
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-11-11