Date: Thu, 19 Jan 2023 23:16:46 +0100 From: Michael Gmelin <grembo@freebsd.org> To: Tomoaki AOKI <junchoon@dec.sakura.ne.jp> Cc: ports@freebsd.org Subject: Re: Can security/ca_root_nss be retired? Message-ID: <7F3E8043-D985-4BC4-97B9-1FF7BA2E54C1@freebsd.org> In-Reply-To: <20230120070931.4ef522dfa48b35ddac0c50ac@dec.sakura.ne.jp> References: <20230120070931.4ef522dfa48b35ddac0c50ac@dec.sakura.ne.jp>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 19. Jan 2023, at 23:09, Tomoaki AOKI <junchoon@dec.sakura.ne.jp> wrote:= >=20 > =EF=BB=BFOn Thu, 19 Jan 2023 05:58:12 -0800 > Mel Pilgrim <list_freebsd@bluerosetech.com> wrote: >=20 >>> On 2023-01-19 4:08, Tomoaki AOKI wrote: >>> On Thu, 19 Jan 2023 03:13:48 -0800 >>> Mel Pilgrim <list_freebsd@bluerosetech.com> wrote: >>>=20 >>>> Given /usr/share/certs exists for all supported releases, is there any >>>> reason to keep the ca_root_nss port? >>>=20 >>> If everyone in the world uses LATEST main only, yes. >>> But the assumption is clearly nonsense. >>>=20 >>> Basically, commits to main are settled a while before MFC to stable >>> branches, and MFS to releng branches needs additional settling days. >>>=20 >>> If any certs happened to be non-reliable, this delay can cause, at >>> worst, catastorphic scenario. >>>=20 >>> If updates to certs are always promised to be "MFC after: now" and >>> committed to ALL SUPPORTED BRANCHES AT ONCE, I have no objection. >>>=20 >>> If not, keeping ca_root_nss port and updated ASAP with upstream should >>> be mandatory. >>=20 >> If ca_root_nss delivered the certs in the same format, sure, but that=20 >> monolithic file makes installing private CAs a hassle. >>=20 >> I wonder if the script secteam uses to update the trust store in the src=20= >> tree could be turned into a periodic script that automatically updates=20= >> the trust store? Side-step the release engineering delay entirely by=20 >> turning trust store updates into a user task. >=20 > With the approach, how can we avoid man-in-the-middle attack or > something? >=20 > Ports framework has checksum to avoid it, unless local admins > intentionally disable it. >=20 > Maybe adding a script to > *Check if /usr/local/share/certs/ca-root-nss.crt is updated or not. > *Extract individual certs from ca-root-nss.crt and update trust store. > *Record current timestamp and hash of ca-root-nss.crt for next run. > into ca-root-nss port, which can be run from cron or by hand, is needed? >=20 Whatever we do, let=E2=80=99s make sure we don=E2=80=99t break existing setu= ps - this needs to be well coordinated. Personally, I don=E2=80=99t want to u= pdate (and reboot) the OS in order to get a current list of trusted CAs (at l= east as long as pkgbase isn=E2=80=99t mainstream this is an issue). Michael
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7F3E8043-D985-4BC4-97B9-1FF7BA2E54C1>