GNU bug report logs - #55043
Some packages depend on nss-certs, some bundle it.

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Package: guix; Reported by: Maxime Devos <maximedevos@HIDDEN>; dated Wed, 20 Apr 2022 15:24:01 UTC; Maintainer for guix is bug-guix@HIDDEN.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 20 Apr 2022 15:23:13 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Apr 20 11:23:13 2022
Received: from localhost ([127.0.0.1]:47094 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1nhCAj-0006q7-8e
	for submit <at> debbugs.gnu.org; Wed, 20 Apr 2022 11:23:13 -0400
Received: from lists.gnu.org ([209.51.188.17]:52212)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maximedevos@HIDDEN>) id 1nhCAh-0006pz-6p
 for submit <at> debbugs.gnu.org; Wed, 20 Apr 2022 11:23:11 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:39684)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <maximedevos@HIDDEN>)
 id 1nhCAg-0002gT-FK
 for bug-guix@HIDDEN; Wed, 20 Apr 2022 11:23:11 -0400
Received: from baptiste.telenet-ops.be ([2a02:1800:120:4::f00:13]:35322)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <maximedevos@HIDDEN>)
 id 1nhCAe-0007Za-2R
 for bug-guix@HIDDEN; Wed, 20 Apr 2022 11:23:10 -0400
Received: from ptr-bvsjgyhxw7psv60dyze.18120a2.ip6.access.telenet.be
 ([IPv6:2a02:1811:8c09:9d00:3c5f:2eff:feb0:ba5a])
 by baptiste.telenet-ops.be with bizsmtp
 id M3P32700u4UW6Th013P3Hb; Wed, 20 Apr 2022 17:23:03 +0200
Message-ID: <2e58ada4430ad222c4bc392971edb014c5f10440.camel@HIDDEN>
Subject: Some packages depend on nss-certs, some bundle it.
From: Maxime Devos <maximedevos@HIDDEN>
To: bug-guix@HIDDEN
Date: Wed, 20 Apr 2022 17:22:53 +0200
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-JgLBkj2s7xrJVf21HVOK"
User-Agent: Evolution 3.38.3-1 
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r22;
 t=1650468184; bh=AwrmVyj0vZuIs6kGULeuJmEjNsp+EXMAbUDeorBMxhk=;
 h=Subject:From:To:Date;
 b=id99yMd5bvuKJ7RYlsVsiiSnzqKlo6UpxS0uzORVVre+owTdx4YVLOAhtKjONe3e7
 7MGlmBrv5YzHGk/VlokYtATbq8yzaKodGWoucvYiC8MAlv/hR3/6BaBT7B2ajeLp87
 zSQabmDarW3dM5+77GljM66Mc5ZAowjDJdbbtTP9AInSouOdwXojIxUUO104rwadad
 ELm+zZoagMiqNRs0WQijGdUvjopqXZMbj4A0L7JzPVBz+NeJ0uu0BHpirCbShA/mRc
 bR8CDmlWH7G1UbG1xd5kAO0C0re8mKoE7V8iGZBx9hL5I0VnuhO3QTw3mnESUTPkSR
 NAypnSa7ehPCg==
Received-SPF: pass client-ip=2a02:1800:120:4::f00:13;
 envelope-from=maximedevos@HIDDEN; helo=baptiste.telenet-ops.be
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
 T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 0.2 (/)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)


--=-JgLBkj2s7xrJVf21HVOK
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

X-Debbugs-CC: Hartmut Goebel <h.goebel@HIDDEN>

Hi,

There are some packages bundling CA certificates:

 * nss-certs / le-certs (this one is not a problem)
 * python-certifi
 * perl-mozilla-ca
 * rust-webpki-roots
 * erlang-certifi (not yet, see <https://issues.guix.gnu.org/54796#3>)
 * go-github-com-certifi-gocertifi

Worse, these packages have many dependencies!

$ guix refresh -l nss-certs le-certs python-certifi perl-mozilla-ca
rust-webpki-roots=C2=A0
Het bouwen van het volgende 534 pakketten zorgt ervoor dat 1575 afhankelijk=
e pakketten opnieuw worden gebouwd: ...

Why is this a problem?

 * I don't think that anybody is actually looking into keeping
   python-certifi / perl-mozilla-ca / rust-webpki-roots / ...
   up to date.  Security problems!
 * Even so, this seems a waste of time to me, why not just use
   $SSL_CERT_DIR / $SSL_CERT_FILE instead?
 * Lots of rebuilds to update things.
 * (relatively minir) Allowing overriding the certificates trusted with
   $SSL_CERT_DIR / $SSL_CERT_FILE would be nice.

Also relevant to the third point: some packages depend on nss-certs.

I've heard an argument in favour of just using the certifi packages
instead of using our own certificates:

> (from Hartmut Goebel, at <https://issues.guix.gnu.org/54796#52>)
> Neither python-certifi nor gocertifi build on nss-cert. Addind some=20
> update mechanism into the Guix package is not a good idea IMO: This=20
> would make =E2=80=9Cerlang-certif@HIDDEN=E2=80=9C contain different certif=
icates
> than the release 2.9.0, making debugging a hell.

... but I don't follow, it's just a different set of certificates, could
you elaborate?=20

Proposal:

 * eventually remove python-certifi, perl-mozilla-ca, ... because nobody
   appears to be keeping them up-to-date and for security it is important
   for them to be up to date.
=20
 * likewise, forbid new packages from being included as-is if they depend o=
n
   a certifi package or nss-certs.

 * Look into removing the certifi packages from the inputs of packages,
   submitting patches to upstream for using $SSL_CERT_... / /etc/ssl/certs =
...
   as appropriate.

Upstream issues and patches I'm aware of:

 * (python-requests, bug report): https://github.com/psf/requests/issues/29=
66
 * (rebar3, bug report + patch): https://github.com/erlang/rebar3/issues/26=
96,
   https://github.com/erlang/otp/pull/5853

Greetings,
Maxime.

--=-JgLBkj2s7xrJVf21HVOK
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYmAlTRccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7jJzAP48lbafYOoc3moZJ4UAQmu9h3e7
Fr4Sfh0hHW04VTyzIwD/ZjyenrNRBsUDeYAQ7yxogchjQpo53f4vA3nHwnTkbAI=
=TpFj
-----END PGP SIGNATURE-----

--=-JgLBkj2s7xrJVf21HVOK--
Acknowledgement sent to Maxime Devos <maximedevos@HIDDEN>:
New bug report received and forwarded. Copy sent to h.goebel@HIDDEN, bug-guix@HIDDEN. Full text available.
Report forwarded to h.goebel@HIDDEN, bug-guix@HIDDEN:
bug#55043; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Wed, 20 Apr 2022 15:30:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.