cURL / Mailing Lists / curl-library / Single Mail


mk-ca-bundle: certdata.txt pulled from soon to be EOL URL

From: Ed Morley <>
Date: Thu, 10 Jul 2014 21:25:32 +0100


I noticed that fetches certdata.txt from
rather than the actual Mercurial VCS locations.

MXR is just a code indexer for Mozilla's repositories, that
holds cached versions of files from their canonical VCSs. Using
certdata.txt from MXR is not ideal since:
* the indexer sometimes fails, resulting in stuck stale files
* MXR is due to be retired soon (replaced by DXR)
* MXR is known to have pretty poor security (part of the reason for
   retirement), so I would trust the cached copy of files there much
   less than from from their canonical location on

I was putting together a patch to switch the URLs to
ones like [1]:

However upon testing it became apparent that hgweb [2] doesn't output
(or use) Last-Modified headers, and only understands ETag [3]. As a
result I get:

$ ./
Warning: Use of this script may pose some risk, -d risk for more details.
Downloading 'certdata.txt' ...
Use of uninitialized value in gmtime at ./ line 258.
Processing 'certdata.txt' ...
Done (153 CA certs processed, 36 skipped).

...and we lose support for handling an unmodified certdata.txt.

Some options:
1) File an upstream Mercurial bug to add Last-Modified headers & then
pester Mozilla server ops to update the Hg version used to serve
2) Forget about checking for last modified and just use the current time
in the comment header for the generated file.
3) Fetch certdata.txt again and compare to the old file locally, and
either use the current datetime for the comment header or else some
other identifier (eg Mercurial SHA current on that repo's tip).

#1 seems like the superior option, however it might be a bit of an
uphill struggle gaining interest/acceptance upstream.

I don't have an exact timeframe for MXR being EOLed, but it will likely
be this year sometime - so it would be good to get this sorted before
the script stops working :-)

Anyway, I'm keen to know your thoughts.

Best wishes,


[1] Ideally I would switch these to HTTPS, however this was tried before
(with MXR at least) and reverted due to issues with LWP and HTTPS:
[3] and
List admin:
Received on 2014-07-11