X-Loop: help-debbugs@HIDDEN
Subject: bug#55043: Some packages depend on nss-certs, some bundle it.
Resent-From: Maxime Devos <maximedevos@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: h.goebel@HIDDEN, bug-guix@HIDDEN
Resent-Date: Wed, 20 Apr 2022 15:24:01 +0000
Resent-Message-ID: <handler.55043.B.165046819326300 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: report 55043
X-GNU-PR-Package: guix
X-GNU-PR-Keywords:
To: 55043 <at> debbugs.gnu.org
Cc: hartmut goebel <h.goebel@HIDDEN>
X-Debbugs-Original-To: bug-guix@HIDDEN
X-Debbugs-Original-Xcc: hartmut goebel <h.goebel@HIDDEN>
Received: via spool by submit <at> debbugs.gnu.org id=B.165046819326300
(code B ref -1); Wed, 20 Apr 2022 15:24:01 +0000
Received: (at submit) by debbugs.gnu.org; 20 Apr 2022 15:23:13 +0000
Received: from localhost ([127.0.0.1]:47094 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1nhCAj-0006q7-8e
for submit <at> debbugs.gnu.org; Wed, 20 Apr 2022 11:23:13 -0400
Received: from lists.gnu.org ([209.51.188.17]:52212)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <maximedevos@HIDDEN>) id 1nhCAh-0006pz-6p
for submit <at> debbugs.gnu.org; Wed, 20 Apr 2022 11:23:11 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:39684)
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <maximedevos@HIDDEN>)
id 1nhCAg-0002gT-FK
for bug-guix@HIDDEN; Wed, 20 Apr 2022 11:23:11 -0400
Received: from baptiste.telenet-ops.be ([2a02:1800:120:4::f00:13]:35322)
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
(Exim 4.90_1) (envelope-from <maximedevos@HIDDEN>)
id 1nhCAe-0007Za-2R
for bug-guix@HIDDEN; Wed, 20 Apr 2022 11:23:10 -0400
Received: from ptr-bvsjgyhxw7psv60dyze.18120a2.ip6.access.telenet.be
([IPv6:2a02:1811:8c09:9d00:3c5f:2eff:feb0:ba5a])
by baptiste.telenet-ops.be with bizsmtp
id M3P32700u4UW6Th013P3Hb; Wed, 20 Apr 2022 17:23:03 +0200
Message-ID: <2e58ada4430ad222c4bc392971edb014c5f10440.camel@HIDDEN>
From: Maxime Devos <maximedevos@HIDDEN>
Date: Wed, 20 Apr 2022 17:22:53 +0200
Content-Type: multipart/signed; micalg="pgp-sha512";
protocol="application/pgp-signature"; boundary="=-JgLBkj2s7xrJVf21HVOK"
User-Agent: Evolution 3.38.3-1
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r22;
t=1650468184; bh=AwrmVyj0vZuIs6kGULeuJmEjNsp+EXMAbUDeorBMxhk=;
h=Subject:From:To:Date;
b=id99yMd5bvuKJ7RYlsVsiiSnzqKlo6UpxS0uzORVVre+owTdx4YVLOAhtKjONe3e7
7MGlmBrv5YzHGk/VlokYtATbq8yzaKodGWoucvYiC8MAlv/hR3/6BaBT7B2ajeLp87
zSQabmDarW3dM5+77GljM66Mc5ZAowjDJdbbtTP9AInSouOdwXojIxUUO104rwadad
ELm+zZoagMiqNRs0WQijGdUvjopqXZMbj4A0L7JzPVBz+NeJ0uu0BHpirCbShA/mRc
bR8CDmlWH7G1UbG1xd5kAO0C0re8mKoE7V8iGZBx9hL5I0VnuhO3QTw3mnESUTPkSR
NAypnSa7ehPCg==
Received-SPF: pass client-ip=2a02:1800:120:4::f00:13;
envelope-from=maximedevos@HIDDEN; helo=baptiste.telenet-ops.be
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 0.2 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)
--=-JgLBkj2s7xrJVf21HVOK
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Debbugs-CC: Hartmut Goebel <h.goebel@HIDDEN>
Hi,
There are some packages bundling CA certificates:
* nss-certs / le-certs (this one is not a problem)
* python-certifi
* perl-mozilla-ca
* rust-webpki-roots
* erlang-certifi (not yet, see <https://issues.guix.gnu.org/54796#3>)
* go-github-com-certifi-gocertifi
Worse, these packages have many dependencies!
$ guix refresh -l nss-certs le-certs python-certifi perl-mozilla-ca
rust-webpki-roots=C2=A0
Het bouwen van het volgende 534 pakketten zorgt ervoor dat 1575 afhankelijk=
e pakketten opnieuw worden gebouwd: ...
Why is this a problem?
* I don't think that anybody is actually looking into keeping
python-certifi / perl-mozilla-ca / rust-webpki-roots / ...
up to date. Security problems!
* Even so, this seems a waste of time to me, why not just use
$SSL_CERT_DIR / $SSL_CERT_FILE instead?
* Lots of rebuilds to update things.
* (relatively minir) Allowing overriding the certificates trusted with
$SSL_CERT_DIR / $SSL_CERT_FILE would be nice.
Also relevant to the third point: some packages depend on nss-certs.
I've heard an argument in favour of just using the certifi packages
instead of using our own certificates:
> (from Hartmut Goebel, at <https://issues.guix.gnu.org/54796#52>)
> Neither python-certifi nor gocertifi build on nss-cert. Addind some=20
> update mechanism into the Guix package is not a good idea IMO: This=20
> would make =E2=80=9Cerlang-certif@HIDDEN=E2=80=9C contain different certif=
icates
> than the release 2.9.0, making debugging a hell.
... but I don't follow, it's just a different set of certificates, could
you elaborate?=20
Proposal:
* eventually remove python-certifi, perl-mozilla-ca, ... because nobody
appears to be keeping them up-to-date and for security it is important
for them to be up to date.
=20
* likewise, forbid new packages from being included as-is if they depend o=
n
a certifi package or nss-certs.
* Look into removing the certifi packages from the inputs of packages,
submitting patches to upstream for using $SSL_CERT_... / /etc/ssl/certs =
...
as appropriate.
Upstream issues and patches I'm aware of:
* (python-requests, bug report): https://github.com/psf/requests/issues/29=
66
* (rebar3, bug report + patch): https://github.com/erlang/rebar3/issues/26=
96,
https://github.com/erlang/otp/pull/5853
Greetings,
Maxime.
--=-JgLBkj2s7xrJVf21HVOK
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYmAlTRccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7jJzAP48lbafYOoc3moZJ4UAQmu9h3e7
Fr4Sfh0hHW04VTyzIwD/ZjyenrNRBsUDeYAQ7yxogchjQpo53f4vA3nHwnTkbAI=
=TpFj
-----END PGP SIGNATURE-----
--=-JgLBkj2s7xrJVf21HVOK--
Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) Content-Type: text/plain; charset=utf-8 X-Loop: help-debbugs@HIDDEN From: help-debbugs@HIDDEN (GNU bug Tracking System) To: Maxime Devos <maximedevos@HIDDEN> Subject: bug#55043: Acknowledgement (Some packages depend on nss-certs, some bundle it.) Message-ID: <handler.55043.B.165046819326300.ack <at> debbugs.gnu.org> References: <2e58ada4430ad222c4bc392971edb014c5f10440.camel@HIDDEN> X-Gnu-PR-Message: ack 55043 X-Gnu-PR-Package: guix Reply-To: 55043 <at> debbugs.gnu.org Date: Wed, 20 Apr 2022 15:24:02 +0000 Thank you for filing a new bug report with debbugs.gnu.org. This is an automatically generated reply to let you know your message has been received. Your message is being forwarded to the package maintainers and other interested parties for their attention; they will reply in due course. As you requested using X-Debbugs-CC, your message was also forwarded to hartmut goebel <h.goebel@HIDDEN> (after having been given a bug report number, if it did not have one). Your message has been sent to the package maintainer(s): bug-guix@HIDDEN If you wish to submit further information on this problem, please send it to 55043 <at> debbugs.gnu.org. Please do not send mail to help-debbugs@HIDDEN unless you wish to report a problem with the Bug-tracking system. --=20 55043: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D55043 GNU Bug Tracking System Contact help-debbugs@HIDDEN with problems
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.