Received: from cogitri.dev (cogitri.dev [207.180.226.74])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id C3C54781892
	for <~alpine/devel@lists.alpinelinux.org>; Sun, 12 Apr 2020 21:34:56 +0000 (UTC)
X-Virus-Scanned: Yes
Date: Sun, 12 Apr 2020 21:34:51 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cogitri.dev; s=mail;
	t=1586727292; bh=s4J0NrEtb85ZVt1ZAT8TDi8zmwU0io6bq4mT/ce0Aj8=;
	h=In-Reply-To:References:Subject:To:CC:From;
	b=VrdGza5W1470V73OW2BfF0s1FFeUJ07cTGFBWL5b+Ztoi33G5GwyeZNGWB3QLYEc9
	 w8t4Pq3xFsQOVNlFfs1zuK1NECBOwbfTeFA7FDhhrjw9h5xblKWzrhlkUMqKwR2H1+
	 uLkY1AT3KXufxsPVnjuhLrKQUaeKEuycYJrfF4+5Gdz7J82XJJZR1ayaqermRGxHuV
	 3e5xc8Ao4dHxy385nz/CBpFwxlrgrtOTtIYp60woaYf/8IPUgsv3QrSK2h9NgNa+aj
	 UMkj6RkQHrXR0f+gybfbIyKaK2r19Qctv5RiZE8+RWLMUne6yJqUUyNddmP+RuCbrJ
	 VhhbYN4ST4uJQ==
In-Reply-To: <f17a2a73-020a-46d0-bc45-1ddc261f8e7e@www.fastmail.com>
References: <f17a2a73-020a-46d0-bc45-1ddc261f8e7e@www.fastmail.com>
Mime-Version: 1.0
Content-Type: text/plain;
 charset=utf-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: Extraneous roots in current ca-certificates package
To: ~alpine/devel@lists.alpinelinux.org,Filippo Valsorda <filippo@ml.filippo.io>
CC: Natanael Copa <ncopa@alpinelinux.org>
From: Rasmus Thomsen <oss@cogitri.dev>
Message-ID: <80CC10B3-3DF8-4DB8-8119-A705C901B24C@cogitri.dev>



Hello,

thanks for your message! (although a Gitlab issue with hidden visibility p=
robably would've been better)=2E
On April 12, 2020 9:00:43 PM UTC, Filippo Valsorda <filippo@ml=2Efilippo=
=2Eio> wrote:
>Hello,
>
>I recently ran a comparison of the root stores of Linux distributions
>with the Mozilla store, and found a couple issues:
>
>    1=2E There are a dozen or so certificates in ca-certificates 20191127
>(latest) that shouldn't be there=2E I think this was due to an issue in
>the Python script that was used to extract them=2E The new perl script
>from curl in git=2Ealpinelinux=2Eorg/ca-certificates master is doing the
>right thing, so the fix should simply be to make a new release of the
>package=2E

Sure, I'll update it if no one beats me to it=2E

>        a=2E By the way, I would suggest adding a line to the "update"
>make target to download the latest version of mk-ca-bundle=2Epl as well,
>as the certdata=2Etxt format changes over time and new distrust settings
>might get added=2E I can send a patch, but it's trivial enough that it
>might just cause you more work=2E

Hm, right now we patch in the version curl uses, and we try to avoid downl=
oading data in APKBUILDs that isn't checksummed by abuild so I'm not sure i=
f we want to do that=2E

>    2=2E The Alpine branches that are still receiving security fixes
>only, v3=2E8-v3=2E10, have out of date ca-certificates packages which
>include roots distrusted due to severe security issues like Certinomis
><https://wiki=2Emozilla=2Eorg/CA/Certinomis_Issues> and TurkTrust
><https://blog=2Emozilla=2Eorg/security/2013/01/03/revoking-trust-in-two-t=
urktrust-certficates/>=2E
>I think changes in the CA root store easily qualify as security fixes,
>and updates to ca-certificates should be propagated to all supported
>versions=2E

Ah yes, we probably missed those since there were no explicit CVEs for old=
 versions AFAICS=20

>By the way, I would have cc'd a security contact, but I could not
>find one on the website and it looks like the team might not have one
><https://gitlab=2Ealpinelinux=2Eorg/alpine/infra/infra/issues/9698>, whic=
h
>is a bit concerning=2E

Since we've switched to Gitlab, the best way to reach us for security conc=
erns is probably to add a Gitlab issue with the visibility set to "hidden"=
=2E That way every team member can see the issue, add additional comments t=
o it and refer to it in commits=2E We make it public once the issue has bee=
n dealt with then, so users know about past security issues=2E This is also=
 how we handle CVEs of packaged software right now=2E

Regards,

Rasmus Thomsen

>Thanks for your work on Alpine,
>Filippo