On 04/02/2014 12:27 AM, Filipus Klutiero wrote:
I rarely see multiple NEWS entries from packages which I never directly
interact with. ca-certificates is one package I never had to install,
remove, upgrade, downgrade, fix, or even learn about, yet it has 17
entries in 10 years. In fact, ca-certificates is the biggest NEWS.Debian
user of all packages installed on my machine (disregarding the package's
age - zgrep -hc urgency /usr/share/doc/*/NEWS.Debian*|sort -g).
After examination of the entries, I do not think that this usage is
optimal. First of all, as NEWS entries of packages for "users" can be
displayed to system administrators of various proficiency, entries
should be worded clearly. The latest entry illustrates that this aspect
is deficient for ca-certificates:
ca-certificates (20140325) unstable; urgency=medium
Update mozilla/certdata.txt to version 1.97+revert_of_936304
Mozilla reverted the removal of 1024-bit root certificates for
Entrust.net, GTE CyberTrust, and ValiCert (RSA), but did not
update the
version number in nssckbi.h.
Certificates added (+) (none removed):
+ "Entrust.net Secure Server CA"
+ "GTE CyberTrust Global Root"
+ "RSA Root Certificate 1"
+ "ValiCert Class 1 VA"
+ "ValiCert Class 2 VA"
Even as a longtime Debian contributor, I have to focus quite a while
before developing some understanding of what this might mean. Hopefully
I understood the right thing (I think that means the 5 certificates
mentioned were added). This description may be fine for the changelog
(and better than a simplified version), but will surely lose most
readers in NEWS.Debian.
I have carried on the NEWS entries of CA certificate adds/removes
listings in the same manner as previous maintainers of the package. I
have attempted to follow a simple format for all the mozilla entries,
including a legend for the lines that follow; (+)=adds, (-)=removes. To
my eyes, it is quick to scan the list and grep'able. In addition, the
subsequent lines are the quoted human readable CKA_LABEL values (there
are some old NMU entries that listed the converted .crt filenames, which
I don't think are very readable).
Do you have an example of how to improve these NEWS entries?
I recognize that there are presumably security implications to changing
the set of certificates. I suppose adding certificates facilitates
phishing, but unless I'm missing something, trusting a phony certificate
can't directly cause an exploit. I suppose removing certificates may
confuse users and *perhaps* break automated scripts. I suppose a small
number of administrators appreciate having a way to follow every change
to the list of certificates. That being said, there are lots of changes
in Debian. We can only afford to display those which we know would cause
the most problematic unexpected issues. The risks should be compared
with the costs. People particularly concerned about certificates can
read the changelog when they upgrade the package. Also, since packages
aren't upgraded at random times, system administrators should be
monitoring a system more just after an upgrade, so potential issues can
be expected to be less costly.
In ca-certificates_20140223 I intentionally, as clearly as I could, as
the first NEWS entry, on a line by itself, stated a certificate removal
that is important for particular users to see. Yes, these entries are
important. I cannot assume which ones may be more or less important to
users, and I leave this up to the user by providing the information.
I leave it to experts to decide how to react, but I feel that
certificate additions should not be mentioned, while I'm not sure that
removals deserve mention. Use of judgment may also be warranted (a
change affecting a top CA could be treated differently). If some
mentions are kept, it would be great to phrase entries so that readers
understand what issues a change could cause.
I provide the factual changes and let users decide what to do with the
information. These are all "top CA" certificate vendors, since your
system is going to trust them. The user needs to modify their personal
trust settings accordingly, if they care to do so. With nearly 200
certificates in the bundle, I think having a list of the ones that were
just added/removed helps users. If the user doesn't care to see NEWS
entries, 'apt-get remove apt-listchanges' is quick and painless.
I'd be happy to improve the entries, if you have a concrete example, but
I don't think the provided contextual information should be edited.
Feel free to take the proposed wheezy-pu and squeeze-pu updates as
examples that a user may see in the future. The squeeze-pu is rather
large ;)
wheezy-pu NEWS - http://goo.gl/SQ0VnY
squeeze-pu NEWS - http://goo.gl/EqUkLx
Thanks for the bug report!
--
Kind regards,
Michael
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
