Bug#619059: ITP: libmozilla-ca-perl -- Mozilla's CA cert bundle in PEM format
Nicholas Bamber nicho...@periapt.co.uk writes: Package: wnpp Owner: Nicholas Bamber nicho...@periapt.co.uk Severity: wishlist X-Debbugs-CC: debian-de...@lists.debian.org,debian-p...@lists.debian.org * Package name: libmozilla-ca-perl Version : 20110301 Upstream Author : Gisle Aas gi...@activestate.com * URL : http://search.cpan.org/dist/Mozilla-CA/ * License : MPL-1.1 or GPL-2+ or LGPL-2.1+ Programming Lang: Perl Description : Mozilla's CA cert bundle in PEM format Mozilla::CA provides a copy of Mozilla's bundle of Certificate Authority certificates in a form that can be consumed by modules and libraries based on OpenSSL. I'm assuming your motivation for packaging this is the latest release of libwww-perl using this module for SSL trust chain validation when using https. I'm writing this email in order to point out that what makes sense for CPAN isn't necessarily the right thing to do for downstream distributions. LWP decided to validate SSL certificates. For that it needs a list of trusted certificate authorities. With the way we distribute software on CPAN right now, we don't have a way of actually asking the user about what authorities he'd like to trust. LWP kind of took the easy route and just went with Mozilla::CA and trusts every authority Mozilla trusts, without giving the user much of a chance to customise things, unless he's willing to maintain a local directory containing trusted CAs and changing his code to use that in favour of the one provided by Mozilla::CA. In Debian, we already have a more convenient way to ship CA certificates and give the local administrator the possibility to trust or not trust the included authorities individually and to easily add new trusted authorities not already provided by Debian. The infrastructure for that exists in the ca-authorities package. I'd like you to consider modifying LWP for Debian so it'll make use of the infrastructure we already have. I haven't actually investigated how involved the customisations for that would have to be, but I have a strong suspicion that it's going to end up being quite minimal and easily maintainable in the long run. In case that turns out to be false, the upstream maintainers of the related CPAN distributions, libwww-perl, IO-Socket-SSL, and Net-SSLeay, are generally open to patches and I'm sure they'd also be very open to working with downstreams such as Debian in order to make this sort of customisation even easier, if need be. pgpuzagXdYIe7.pgp Description: PGP signature
Bug#619059: ITP: libmozilla-ca-perl -- Mozilla's CA cert bundle in PEM format
Package: wnpp Owner: Nicholas Bamber nicho...@periapt.co.uk Severity: wishlist X-Debbugs-CC: debian-de...@lists.debian.org,debian-p...@lists.debian.org * Package name: libmozilla-ca-perl Version : 20110301 Upstream Author : Gisle Aas gi...@activestate.com * URL : http://search.cpan.org/dist/Mozilla-CA/ * License : MPL-1.1 or GPL-2+ or LGPL-2.1+ Programming Lang: Perl Description : Mozilla's CA cert bundle in PEM format Mozilla::CA provides a copy of Mozilla's bundle of Certificate Authority certificates in a form that can be consumed by modules and libraries based on OpenSSL. -- To UNSUBSCRIBE, email to debian-wnpp-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d8670ef.5010...@periapt.co.uk
Bug#619059: ITP: libmozilla-ca-perl -- Mozilla's CA cert bundle in PEM format
On Sun, Mar 20, 2011 at 09:26:07PM +, Nicholas Bamber wrote: Mozilla::CA provides a copy of Mozilla's bundle of Certificate Authority certificates in a form that can be consumed by modules and libraries based on OpenSSL. I don't think this should be packaged. Debian already offers a certificate store provided by the ca-certificates package in /etc/ssl/certs, in a form that can be consumed by modules and libraries based on OpenSSL. If this is required as a dependency, the depending package should be patched (possibly to support more than a single CA) or this package should only be a stub to the Mozilla CA in ca-certificates. In the case of LWP::UserAgent, setting SSL_ca_file to /etc/ssl/certs/ca-certificates.crt or SSL_ca_path to /etc/ssl/certs should work. Then it will support all certificates the local administrator has enabled. signature.asc Description: Digital signature
Bug#619059: ITP: libmozilla-ca-perl -- Mozilla's CA cert bundle in PEM format
On Sun, Mar 20, 2011 at 09:26:07PM +, Nicholas Bamber wrote: * Package name: libmozilla-ca-perl Version : 20110301 Upstream Author : Gisle Aas gi...@activestate.com * URL : http://search.cpan.org/dist/Mozilla-CA/ * License : MPL-1.1 or GPL-2+ or LGPL-2.1+ Programming Lang: Perl Description : Mozilla's CA cert bundle in PEM format Mozilla::CA provides a copy of Mozilla's bundle of Certificate Authority certificates in a form that can be consumed by modules and libraries based on OpenSSL. Is this really appropriate for Debian's purposes? I would think that using ca-certificates is probably better since not only are the certificates already in PEM format but the administrator can choose to add, remove, enable, or disable certificates in one central place. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature