Re: gnome-keyring PKCS#11 config file /etc/xdg/pkcs11.conf[.defaults]

[Stef Walter <stef-list thewalter net>]

On 12/22/2010 01:02 PM, Stef Walter wrote:
> On 2010-12-22 14:42, Dan Winship wrote:
>> For GNOME, I was assuming that this information would be stored in
>> gsettings/dconf. (This is
>> https://bugzilla.gnome.org/show_bug.cgi?id=543455, although the bug was
>> originally something slightly different, and I hijacked it a bit as of
>> comment 8.)
>>
>> Then we just rely on dconf defaults/lockdown stuff to make it so the
>> distro/admin can set things up as desired and the user can't override it
>> without root authorization.
> 
> True, we could use gsettings/dconf for the current GNOME implementation.
> Sounds like a good plan. I guess we'd need to figure out where to
> install the schema from since it's used by multiple projects.

After trying to implement this, we figured out that it's not possible to
lock down settings for just part of dconf/gsettings on an otherwise
non-locked-down system. So we're back to a file for this.

In line with Dan's suggestion about not using /etc/xdg (unless we commit
to the whole standard) I've changed things around a bit:

The configuration files are at: /etc/pkcs11/pkcs11-options and
/etc/pkcs11/pkcs11-options.defaults. The latter is installed, and the
former contains overrides (if present).

The format still uses the 'Desktop entry' format [1]

Remember that we're still using the directory /usr/lib/pkcs11 for
actually enumerating the installed modules. [2] This config file is only
for additional options such as which slots to use for trust assertions.

This is already implemented in libgcr, so unless there are objections,
then I'll go ahead and implement this in glib-networking as well.

Cheers,

Stef

[1] http://standards.freedesktop.org/desktop-entry-spec/latest/ar01s02.html

[2] http://wiki.cacert.org/Pkcs11TaskForce#PKCS11_in_FHS_Proposal