mirrors/buildcatrust
1
0
Fork 0
mirror of https://github.com/nix-community/buildcatrust.git synced 2025-12-12 15:57:45 +00:00
Code Releases Wiki Activity
Turns various inputs into various outputs
49 commits 3 branches 5 tags 139 KiB
Find a file
Exact
Luke Granger-Brown 8d8faf2f93
 Merge pull request #12 from nix-community/docs/releasing 
chore(docs): add releasing doc
2025-04-19 02:53:57 +01:00
.github/workflows .github: update actions versions 2025-04-19 02:18:12 +01:00
buildcatrust chore(release): prepare 0.4.0 2025-04-19 02:30:04 +01:00
docs chore(docs): add releasing doc 2025-04-19 02:51:57 +01:00
LICENSES Add CODE_OF_CONDUCT.md, from the Contributor Covenant v2.1 2024-02-11 14:33:26 +00:00
.gitignore Add Nix result symlinks to .gitignore 2021-06-12 17:03:22 +00:00
.pre-commit-config.yaml chore: migrate from isort/black to ruff 2024-02-11 13:06:57 +00:00
AUTHORS fix: repair shell.nix up to modern Nixpkgs 2024-02-07 15:19:07 +01:00
CODE_OF_CONDUCT.md Add CODE_OF_CONDUCT.md, from the Contributor Covenant v2.1 2024-02-11 14:33:26 +00:00
pyproject.toml pyproject: update source repo 2025-04-19 02:26:26 +01:00
README.md Add README.md 2024-02-11 14:40:16 +00:00
REUSE.toml chore(reuse): migrate from dep5 to REUSE.toml 2025-04-19 02:50:20 +01:00
shell.nix lint: make lint clean 2025-04-19 02:14:27 +01:00

README.md

buildcatrust

buildcatrust is a tool for turning trust stores into other trust stores.

In particular, it's intended for use within NixOS, for turning the Mozilla NSS cert store into a format that can be used by various downstream systems (see below).

Why

The original author (lukegb) was not particularly happy with any of the existing options: they tend to lose some of the semantic meaning of the input NSS store, and this is undesirable.

In particular, there's a well documented that Linux distributions have in general with distrusting certificates. This package does not itself solve this 100% (because the nuance still isn't readily encodable), but the goal is to not make things worse. That is, running Firefox on a system configured to use a buildcatrust-built certificate store should not drop distrust dates. Other software may vary, depending on support for distrust-after.

Goals

  • Have no runtime dependencies outside of the Python standard library
    • This is because this complicates packaging, particularly on NixOS, where buildcatrust is part of the bootstrap path for building everything else.
  • Have decent test coverage
  • Convey as many trust bits from the source system to downstream systems as possible
    • In some cases, this means using software-specific hacks (such as for OpenSSL)

Contributing & Developing

Users are expected to abide by the Contributor Covenant, version 2.1.

The best answer for developing this software is to use Nix, which will provide dependencies for you automatically (at least on Linux-based distributions).

You should be able to run nix-shell in the root of this repo to get a working shell containing a Python interpreter with ruff, pytest, pytype, and so on.

It is also suggested to run pre-commit when making changes; you can install its hook using pre-commit install which will ensure that things are correctly formatted before permitting a commit.

However, because this software aims to have no dependencies outside of the Python stdlib, it should be possible to at least make changes and run the software without needing Nix or any other software installed. I do suggest that you install pytest and ruff though, because then you can ensure a baseline level of correctness before letting GitHub Actions judge your PR.