On Sunday, August 24, 2014 11:47:56 Jan Alexander Steffens wrote:
The current issues are: - Mozilla NSS uses its own root store and not /etc/ssl/certs - ca-certificates ships outdated Mozilla roots - Shipping additional roots outside ca-certificates is difficult, requiring patching /etc/ca-certificates.conf
A quick search shows that we have more packages shipping their own (maybe outdated) CA certificates copy in package. Since we are already on the topic about the inconsistency between nss and ca-certificates, I would like to also bring these up. I'd think it a good idea to make them use /etc/ssl/certs too. (Maybe not the ones in examples? Thoughts?) perl-mozilla-ca ships usr/share/perl5/vendor_perl/Mozilla/CA/cacert.pem - serves as the reference for some other projects, for example spamassassin, gnucash, bugzilla, shutter... - There was a discussion around this package in Debian [1], which resulted in not adding this package at all. python{,2}-pip ship usr/lib/python{3.4,2.7}/site- packages/pip/_vendor/requests/cacert.pem - We already have a patch for python{,2}-requests to use ca-certificates [2], but the embedded version in pip didn't use it. python{,2}-certifi ship usr/lib/python{3.4,2.7}/site- packages/certifi/cacert.pem - only affects tornado for now, consider removing the package and patching tornado? vagrant ships opt/vagrant/embedded/cacert.pem - looks like it has an option to use system-wide ca-certificates [3], would we patch it or simply remove the embedded version? goagent ships usr/share/goagent/local/cacert.pem - looks like a simple patching. And some others I didn't look further into: - opensips ships etc/opensips/tls/rootCA/cacert.pem - owncloud ships usr/share/webapps/owncloud/apps/files_external/3rdparty/aws- sdk-php/Guzzle/Http/Resources/cacert.pem, usr/share/webapps/owncloud/apps/files_external/3rdparty/google-api-php- client/src/io/cacerts.pem, ... - swi-prolog ships usr/lib/swipl-6.6.5/doc/packages/examples/ssl/etc/demoCA/cacert.pem - erlang/erlang-nox ship usr/lib/erlang/lib/ssl-5.3.5/examples/certs/etc/client/cacerts.pem, usr/lib/erlang/lib/ssl-5.3.5/examples/certs/etc/server/cacerts.pem [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698101 [2] https://projects.archlinux.org/svntogit/community.git/tree/trunk/certs.patch... [3] https://www.digitalocean.com/community/tutorials/how-to-use-digitalocean-as-... Regards, Felix Yan