[arch-dev-public] Rethinking our CA certificate setup

Sun Aug 24 10:51:47 EDT 2014

On Sunday, August 24, 2014 11:47:56 Jan Alexander Steffens wrote:
> The current issues are:
> - Mozilla NSS uses its own root store and not /etc/ssl/certs
> - ca-certificates ships outdated Mozilla roots
> - Shipping additional roots outside ca-certificates is difficult,
> requiring patching /etc/ca-certificates.conf

A quick search shows that we have more packages shipping their own (maybe 
outdated) CA certificates copy in package. Since we are already on the topic 
about the inconsistency between nss and ca-certificates, I would like to also 
bring these up. I'd think it a good idea to make them use /etc/ssl/certs too. 
(Maybe not the ones in examples? Thoughts?)

perl-mozilla-ca ships usr/share/perl5/vendor_perl/Mozilla/CA/cacert.pem
- serves as the reference for some other projects, for example spamassassin, 
gnucash, bugzilla, shutter...
- There was a discussion around this package in Debian [1], which resulted in 
not adding this package at all.

python{,2}-pip ship usr/lib/python{3.4,2.7}/site-
packages/pip/_vendor/requests/cacert.pem
- We already have a patch for python{,2}-requests to use ca-certificates [2], 
but the embedded version in pip didn't use it.

python{,2}-certifi ship usr/lib/python{3.4,2.7}/site-
packages/certifi/cacert.pem
- only affects tornado for now, consider removing the package and patching 
tornado?

vagrant ships opt/vagrant/embedded/cacert.pem
- looks like it has an option to use system-wide ca-certificates [3], would we 
patch it or simply remove the embedded version?

goagent ships usr/share/goagent/local/cacert.pem
- looks like a simple patching.

And some others I didn't look further into:
- opensips ships etc/opensips/tls/rootCA/cacert.pem
- owncloud ships usr/share/webapps/owncloud/apps/files_external/3rdparty/aws-
sdk-php/Guzzle/Http/Resources/cacert.pem, 
usr/share/webapps/owncloud/apps/files_external/3rdparty/google-api-php-
client/src/io/cacerts.pem, ...
- swi-prolog ships 
usr/lib/swipl-6.6.5/doc/packages/examples/ssl/etc/demoCA/cacert.pem
- erlang/erlang-nox ship 
usr/lib/erlang/lib/ssl-5.3.5/examples/certs/etc/client/cacerts.pem, 
usr/lib/erlang/lib/ssl-5.3.5/examples/certs/etc/server/cacerts.pem

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698101
[2] 
https://projects.archlinux.org/svntogit/community.git/tree/trunk/certs.patch?h=packages/python-requests
[3] https://www.digitalocean.com/community/tutorials/how-to-use-digitalocean-as-your-provider-in-vagrant-on-an-ubuntu-12-10-vps

Regards,
Felix Yan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://mailman.archlinux.org/pipermail/arch-dev-public/attachments/20140824/49ce22bd/attachment.asc>