Shared System Certificates followup: Packaging Guidelines?
Stephen Gallagher
sgallagh at redhat.com
Wed Jan 8 20:02:09 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/08/2014 02:57 PM, Kai Engert wrote:
> On Mi, 2014-01-08 at 13:38 -0500, Stephen Gallagher wrote:
>> I don't really see this being more likely than an existing
>> application just bundling a wrapper script for certificate
>> generation and 'update-ca-extract' and quietly running that as
>> part of %post. Just as easy to miss and equally effective (with
>> much less trouble).
>
> true
>
>> I don't think that we can really write policy that eliminates the
>> risk of a determined abuse of the available technology.
>
> Probably. What do you think about adding a section to package
> reviewing guidelines, which says that packages that add files to
> the global CA directories should provide reasoning, and have
> someone check that reasoning. It might at least make people aware
> this is something to be careful with.
>
That seems perfectly reasonable to me.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlLNrsEACgkQeiVVYja6o6MNFwCgnEsvPTGHq7sP4/X6egK5ezRm
o+4AoK56OXwUSWVnExN6E6aBJf/krG2m
=bPGB
-----END PGP SIGNATURE-----
More information about the devel
mailing list