On Fri, Dec 16, 2016 at 11:56 AM, Kurt Roeckx <k...@roeckx.be> wrote: > So I guess I should also reply to the rest here. > > I am a Debian Developer and an OpenSSL developer, but I'm not > speaking in anybody's name. But I do want to represent concerns > that the general open source community might have that just isn't > active on this list. Maybe more of them should be active here, but > probably they just don't know about it. > > In Debian we actually ship libcurl linked against gnutls, nss and > openssl. Just like we ship a whole lot of other software. Almost > all of the software that supports X509 makes use of the Mozilla root > store. There are clearly problems with the way it uses it, but we > should at least avoiding making it worse.
Right, but if you're going to take a dependency on upstream (which 'Almost all of the software that supports X509 makes use of the Mozilla root store' effectively is), you either need to accept upstream's decisions and deal with it (just like any upstream project can change an API) or participate with upstream. So far, the answer has been "You make use at your own peril" - although that's not because of apathy or active hostility towards those projects, more to the side of "You should be participating with and tracking upstream if you're going to depend on it" Or, to use more Mozilla/Firefox terms: - NSS (and Mozilla projects) are a Tier 1 platform for the Mozilla Root Store - Distros that depend on the Mozilla Root Store, but actively participate in development (e.g.: I'm looking at you, all you wonderful Red Hat folks :P) are sort-of Tier 2 - it depends on the breakage, but generally it's somewhere between 1&2 - Other software depending on the Mozilla Root Store is more akin to Tier 3 or (worse) Tier 4. - If you're participating and active in discussions, you're likely between Tier 3 and Tier 2 - If you're just tracking upstream (*cough* Debian :P), and not participating, you're really in that Tier 3 form (if you're paying attention and maintaining it) or Tier 4 (if you're not even paying attention and just taking it blindly) > If there are such changes needed in other software, having that > software fixed in 3 month shouldn't acutally be a problem. But > unless someone is going to assign a CVE to it, it's probably not > going to get deployed. Sure, but that's kinda incumbent on downstream, much like a downstream that 'abused' internal APIs is a perfectly justifiable target to break / not be concerned about. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
