Received: from out0.migadu.com (out0.migadu.com [94.23.1.103])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id E68AB780FB5
	for <~alpine/devel@lists.alpinelinux.org>; Mon, 13 Apr 2020 08:20:08 +0000 (UTC)
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dereferenced.org;
	s=default; t=1586766004;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=YSk712wV+X/JAiQTmB/zMcGQbGS38OV+JRHwKSsPL+o=;
	b=HO0RdtfdJPNQ+L/osVRijSzT877+nDS8PLyRYZF7aPBwoMpCF1mdk7UNXaQZMt6CUQAFEA
	PKcvwa5peuUE3hKlG6xhNcMp3JG6vUqAXI23cj3LcTp5fTvPpEastuGfIqSQ8Fz7SuShMh
	FKmX6l8Jy8Pjx7sp55QrUML09OdbpL8=
Date: Mon, 13 Apr 2020 08:20:04 +0000
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers.
From: "Ariadne Conill" <ariadne@dereferenced.org>
Message-ID: <1def9d6545dda3eaa7b676612566d275@dereferenced.org>
Subject: Re: Extraneous roots in current ca-certificates package
To: "Filippo Valsorda" <filippo@ml.filippo.io>,
 ~alpine/devel@lists.alpinelinux.org
Cc: "Natanael Copa" <ncopa@alpinelinux.org>
In-Reply-To: <f17a2a73-020a-46d0-bc45-1ddc261f8e7e@www.fastmail.com>
References: <f17a2a73-020a-46d0-bc45-1ddc261f8e7e@www.fastmail.com>
X-Spam-Score: -0.10

Hello,=0A=0AOn April 12, 2020 3:00 PM, "Filippo Valsorda" <filippo@ml.fil=
ippo.io> wrote:=0A=0A> Hello,=0A> =0A> I recently ran a comparison of the=
 root stores of Linux distributions=0A> with the Mozilla store, and found=
 a couple issues:=0A> =0A> 1. There are a dozen or so certificates in ca-=
certificates 20191127=0A> (latest) that shouldn't be there. I think this =
was due to an issue in=0A> the Python script that was used to extract the=
m. The new perl script=0A> from curl in git.alpinelinux.org/ca-certificat=
es master is doing the=0A> right thing, so the fix should simply be to ma=
ke a new release of the=0A> package.=0A=0AThe python script was originall=
y from Debian, you may wish to report this to them as well.=0A=0A> =0A> a=
. By the way, I would suggest adding a line to the "update"=0A> make targ=
et to download the latest version of mk-ca-bundle.pl as well,=0A> as the =
certdata.txt format changes over time and new distrust settings=0A> might=
 get added. I can send a patch, but it's trivial enough that it=0A> might=
 just cause you more work.=0A> =0A> 2. The Alpine branches that are still=
 receiving security fixes=0A> only, v3.8-v3.10, have out of date ca-certi=
ficates packages which=0A> include roots distrusted due to severe securit=
y issues like Certinomis=0A> <https://wiki.mozilla.org/CA/Certinomis_Issu=
es> and TurkTrust=0A> <https://blog.mozilla.org/security/2013/01/03/revok=
ing-trust-in-two-turktrust-certficates>.=0A> I think changes in the CA ro=
ot store easily qualify as security fixes,=0A> and updates to ca-certific=
ates should be propagated to all supported=0A> versions.=0A=0AI agree, bu=
t without CVEs or some other feedback mechanism, low profile issues slip =
through the cracks.  It would be nice for CVEs to be assigned when Mozill=
a distrusts a CA.=0A=0A> By the way, I would have cc'd a security contact=
, but I could not=0A> find one on the website and it looks like the team =
might not have one=0A> <https://gitlab.alpinelinux.org/alpine/infra/infra=
/issues/9698>, which=0A> is a bit concerning.=0A=0AHistorically, we have =
not had a designated security contact, but opening an issue on the tracke=
r and designating it a security issue will ensure that it gets directed t=
o somebody who can quickly solve the problem.=0A=0AWe should update the w=
ebsite to reflect this.=0A=0AAriadne