Received: from wout2-smtp.messagingengine.com (wout2-smtp.messagingengine.com [64.147.123.25]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id DE657781932 for <~alpine/devel@lists.alpinelinux.org>; Sun, 12 Apr 2020 22:08:01 +0000 (UTC) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id B86B36D9; Sun, 12 Apr 2020 18:07:59 -0400 (EDT) Received: from imap1 ([10.202.2.51]) by compute3.internal (MEProxy); Sun, 12 Apr 2020 18:07:59 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=filippo.io; h= mime-version:message-id:in-reply-to:references:date:from:to:cc :subject:content-type; s=fm3; bh=j9K/kdjaS2l02eXSwEe/fB8LfF2yzJX p0Vlj7Zk/xjc=; b=IWPvheRy7qFBKC5XfD2Achc8P+0ushzwmLzzxQBVVdZBnyq wJbt3uijQV+Z9x02WyQ5mvShuCsqKzW6GXuhjFQjYEsmJaENSblNeJBMZ1JH2Lnb 2CF07Zbq/u0CUqwIAyS8lK7FYRdPQolH6+MHV4FApqXDuZSmr/bPZVI8TD4v2b4I VhEvNQEuBrefVBhJxrYwZVYGWWPakI1/36QdBEBFFqar5dT/26jmLONDYwsx85qB o+JMqp6bCBTa4Obr0tynNPGa6jMRE4o8h0erw8oapBqaQcqFmLwP7yco8EcbfdVa Q4qhU8Q7Sy+1RkB+gUKGfeWW5BoAZYfFnv8+jbg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=j9K/kd jaS2l02eXSwEe/fB8LfF2yzJXp0Vlj7Zk/xjc=; b=vcVuasod6wfgwvF7SG8HJY TmJ0QipbdmpsxDLltntgX4fBM29DCqM8I8sPrWMZiA+R4puA+HEXXkxZZiduwtkQ GOWadJIVaeHXumBeSd24B45XYCvTGJPyimhC4Wzm/YkwSwL4FuzGsQHH696pjMEG s3fU93CgHZ8qj88p7amU+NCZWbxifRQoWjBPsrKF3xPN4bysQ3ocCZAELsA3wB2X uGtA9Ue2jR6m1Pgj3lVixDCYOWYk+MQGFk97sPXCjAfaKABZnNkBTcCRCF6enBNJ wLsR3tleRH4JRALO2XPINdZx/YsVoHXI0K7YOVg0mc/2He3Dgf2TyMDNjGf4ybmQ == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrvdekgddtjecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvufgtsehttdertderredtnecuhfhrohhmpedfhfhilhhi phhpohcugggrlhhsohhruggrfdcuoehfihhlihhpphhosehmlhdrfhhilhhiphhpohdrih hoqeenucffohhmrghinheprghlphhinhgvlhhinhhugidrohhrghdpmhhoiihilhhlrgdr ohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpe hfihhlihhpphhosehmlhdrfhhilhhiphhpohdrihho X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id DD097C200A4; Sun, 12 Apr 2020 18:07:58 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.1.7-1104-g203475c-fmstable-20200408v2 Mime-Version: 1.0 Message-Id: <95406ebc-f823-4215-a6d8-bbc0ee4ffec3@www.fastmail.com> In-Reply-To: <80CC10B3-3DF8-4DB8-8119-A705C901B24C@cogitri.dev> References: <80CC10B3-3DF8-4DB8-8119-A705C901B24C@cogitri.dev> Date: Sun, 12 Apr 2020 18:07:37 -0400 From: "Filippo Valsorda" To: "Rasmus Thomsen" , ~alpine/devel@lists.alpinelinux.org Cc: "Natanael Copa" Subject: Re: Extraneous roots in current ca-certificates package Content-Type: text/plain 2020-04-12 17:34 GMT-04:00 Rasmus Thomsen : > > > Hello, > > thanks for your message! (although a Gitlab issue with hidden > visibility probably would've been better). Thank you for the quick response! > On April 12, 2020 9:00:43 PM UTC, Filippo Valsorda > wrote: > >Hello, > > > >I recently ran a comparison of the root stores of Linux distributions > >with the Mozilla store, and found a couple issues: > > > > 1. There are a dozen or so certificates in ca-certificates 20191127 > >(latest) that shouldn't be there. I think this was due to an issue in > >the Python script that was used to extract them. The new perl script > >from curl in git.alpinelinux.org/ca-certificates master is doing the > >right thing, so the fix should simply be to make a new release of the > >package. > > Sure, I'll update it if no one beats me to it. > > > a. By the way, I would suggest adding a line to the "update" > >make target to download the latest version of mk-ca-bundle.pl as well, > >as the certdata.txt format changes over time and new distrust settings > >might get added. I can send a patch, but it's trivial enough that it > >might just cause you more work. > > Hm, right now we patch in the version curl uses, and we try to avoid > downloading data in APKBUILDs that isn't checksummed by abuild so I'm > not sure if we want to do that. I mean the "update" target in the ca-certificates repo, which AFAICT is run to fetch a new certdata.txt to be checked in. mk-ca-bundle.pl should simply get the same treatment. https://git.alpinelinux.org/ca-certificates/tree/Makefile?id=898ab81b51730dcd175069956d6e792385c9f457#n38 > > 2. The Alpine branches that are still receiving security fixes > >only, v3.8-v3.10, have out of date ca-certificates packages which > >include roots distrusted due to severe security issues like Certinomis > > and TurkTrust > >. > >I think changes in the CA root store easily qualify as security fixes, > >and updates to ca-certificates should be propagated to all supported > >versions. > > Ah yes, we probably missed those since there were no explicit CVEs for > old versions AFAICS Oh, that's a good point, we should bring up getting CVEs for distrusts with Mozilla. > >By the way, I would have cc'd a security contact, but I could not > >find one on the website and it looks like the team might not have one > >, which > >is a bit concerning. > > Since we've switched to Gitlab, the best way to reach us for security > concerns is probably to add a Gitlab issue with the visibility set to > "hidden". That way every team member can see the issue, add additional > comments to it and refer to it in commits. We make it public once the > issue has been dealt with then, so users know about past security > issues. This is also how we handle CVEs of packaged software right now. That sounds totally fine, but it's not really discoverable. May I suggest listing these instructions somewhere prominent on the website? I usually just load the website and grep the home, about, contact and community pages for "security". Cheers, Filippo > Regards, > > Rasmus Thomsen > > >Thanks for your work on Alpine, > >Filippo >