Received: from wout2-smtp.messagingengine.com (wout2-smtp.messagingengine.com [64.147.123.25])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 90CB778105B
	for <~alpine/devel@lists.alpinelinux.org>; Sun, 12 Apr 2020 21:01:05 +0000 (UTC)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
	by mailout.west.internal (Postfix) with ESMTP id 2C582776;
	Sun, 12 Apr 2020 17:01:04 -0400 (EDT)
Received: from imap1 ([10.202.2.51])
  by compute3.internal (MEProxy); Sun, 12 Apr 2020 17:01:04 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=filippo.io; h=
	mime-version:message-id:date:from:to:cc:subject:content-type; s=
	fm3; bh=5OnQuTi6AoYuz07nyWMoP/PfZGY62F7Epvrseqy8iCU=; b=dsgw713V
	rm9vBAmCSviWz4zZmoDgA3o4GKmwNE1LVJBok1HswODE5YYu6p/EwNzW1lTzINyd
	A9J39MvK52MTDrFU8tJcDLVtoFiKjiwi3jy3/Yt1IspO8aC6cOEgeuI9qXimFinF
	t+8jOkP1RoXig7DowBcu6VcsAiP1vEZYZwWYQeQt+sJHFu4An+xMuS5vmRwcomRV
	9JFVg7ZCIj7yJYCqK8i4YcpTutkncFTlhzNXs4Apr14mnxeFQjNaqIx5N1P4SWox
	iscDs/HZBpDYWdvbRwaNxsKwq4SdhP+HSipx+16nsgx4TXCheIX8WGz6S1eMjOuy
	m7qX6YOUJEaozw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-type:date:from:message-id
	:mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender
	:x-me-sender:x-sasl-enc; s=fm2; bh=5OnQuTi6AoYuz07nyWMoP/PfZGY62
	F7Epvrseqy8iCU=; b=cJq4qmGhMUa1LiuWyc8vniNBHq0+BX6pgBZtGKImf2xYn
	0Ye5rHfMfj0d5kRjobdGyUzxplhxMjhCXRcP7q/0EtgpV7u0B1oxpoX2hl1GkNDM
	5mTSHgIQOhnILxM03VQzeGVuKLjxm1X3gLttGXoi2LCpVcDGu15flu9LPJEyndUY
	W6iP1p0X0/cC7O+kWWA0PNAFK+OkxLz93o3EYlkvftfKZH9MDQvUQY1DWPNyFKfm
	uVZVE5FKMC5C20usm1xA4Nw0kLKvIc6cwSf7SUG1+3k8Bj0N8rVHY6pzlpawkggc
	QFavHDxBQrP8wjpRgDQ0MnFIB9NOAiB/TpD1zr1Jg==
X-ME-Sender: <xms:j4GTXoFS9vX2NbCOjXEmKi4vpgKyDgYfMWiQ32TtZ7E5kxG6IV4djA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrvdejgdduheeiucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
    cujfgurhepofgfggfkfffhvffutgesthdtredtreertdenucfhrhhomhepfdfhihhlihhp
    phhoucggrghlshhorhgurgdfuceofhhilhhiphhpohesmhhlrdhfihhlihhpphhordhioh
    eqnecuffhomhgrihhnpegrlhhpihhnvghlihhnuhigrdhorhhgpdhmohiiihhllhgrrdho
    rhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepfh
    hilhhiphhpohesmhhlrdhfihhlihhpphhordhioh
X-ME-Proxy: <xmx:j4GTXlkksWZoQPLFfg4sEYCG3t-CaJyjfqg_Cx5RT_VNCBIvj79h8w>
    <xmx:j4GTXthNDqfANVqFy8z0XcGBAJGX7T0fh5ISXJ0VbQ14Vfm531ckrA>
    <xmx:j4GTXm_t2WOcFV8adDxI3HJkD82Sxb9YS0_o0VIhe7a-jAPNlK9luw>
    <xmx:j4GTXhGcfEF-XIJuJ_FEfun5z-IfHl5PzmyiU9bevRfNIgWcfSsdpQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501)
	id 7272BC200A4; Sun, 12 Apr 2020 17:01:03 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-1104-g203475c-fmstable-20200408v2
Mime-Version: 1.0
Message-Id: <f17a2a73-020a-46d0-bc45-1ddc261f8e7e@www.fastmail.com>
Date: Sun, 12 Apr 2020 17:00:43 -0400
From: "Filippo Valsorda" <filippo@ml.filippo.io>
To: ~alpine/devel@lists.alpinelinux.org
Cc: "Natanael Copa" <ncopa@alpinelinux.org>
Subject: Extraneous roots in current ca-certificates package
Content-Type: text/plain

Hello,

I recently ran a comparison of the root stores of Linux distributions
with the Mozilla store, and found a couple issues:

    1. There are a dozen or so certificates in ca-certificates 20191127
(latest) that shouldn't be there. I think this was due to an issue in
the Python script that was used to extract them. The new perl script
from curl in git.alpinelinux.org/ca-certificates master is doing the
right thing, so the fix should simply be to make a new release of the
package.

        a. By the way, I would suggest adding a line to the "update"
make target to download the latest version of mk-ca-bundle.pl as well,
as the certdata.txt format changes over time and new distrust settings
might get added. I can send a patch, but it's trivial enough that it
might just cause you more work.

    2. The Alpine branches that are still receiving security fixes
only, v3.8-v3.10, have out of date ca-certificates packages which
include roots distrusted due to severe security issues like Certinomis
<https://wiki.mozilla.org/CA/Certinomis_Issues> and TurkTrust
<https://blog.mozilla.org/security/2013/01/03/revoking-trust-in-two-turktrust-certficates/>.
I think changes in the CA root store easily qualify as security fixes,
and updates to ca-certificates should be propagated to all supported
versions.

By the way, I would have cc'd a security contact, but I could not
find one on the website and it looks like the team might not have one
<https://gitlab.alpinelinux.org/alpine/infra/infra/issues/9698>, which
is a bit concerning.

Thanks for your work on Alpine,
Filippo