[blfs-dev] ca-certs: symlink to ca-bundle.crt ?

Thu, 01 Nov 2018 19:32:25 -0700 

At last, I've found out *what* was telling me that update-leap (from
ntp) was telling me to install Mozilla::CA because it could not find
the system's certificates.  And no, it was not LWP-Protocol-https -
the deps listed in update-leap are technically correct.

The item in question is HTTP::Tiny which ntp still claims is an
external module, but has been part of core perl since at least
5.14.1 (the oldest log I have on this machine).  And there, the code
says:

   # cert list copied from golang src/crypto/x509/root_unix.go
    foreach my $ca_bundle (
        "/etc/ssl/certs/ca-certificates.crt",     #
Debian/Ubuntu/Gentoo etc.
        "/etc/pki/tls/certs/ca-bundle.crt",       # Fedora/RHEL
        "/etc/ssl/ca-bundle.pem",                 # OpenSUSE
        "/etc/openssl/certs/ca-certificates.crt", # NetBSD
        "/etc/ssl/cert.pem",                      # OpenBSD
        "/usr/local/share/certs/ca-root-nss.crt", #
FreeBSD/DragonFly
        "/etc/pki/tls/cacert.pem",                # OpenELEC
        "/etc/certs/ca-certificates.crt",         # Solaris 11.2+
    ) {
        return $ca_bundle if -e $ca_bundle;
    }

    die qq/Couldn't find a CA bundle with which to verify the SSL
certificate.\n/
      . qq/Try installing Mozilla::CA from CPAN\n/;
}

This looks very like the code I was planning to change in biber if I
could get rid of Mozilla::CA.  So, rather than hack on core perl
(and therefore leave it broken for people who have not made the
change), I propose to do something like

mkdir -pv /etc/pki/tls/certs
ln -svf /etc/ssl/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt

(on the certs page : we already create /etc/pki/)

And if that works (far too late for me to test it at the moment) I
think we can just drop Mozilla::CA.

I'm sure DJ will understand why I want to drop Mozilla::CA, but for
everyone else - Mozilla update their certificates regularly (in
particular, dropping trust), plus clever people can add other
certificates locally.  The Mozilla::CA perl module was last updated
in January, so it is well out of date and only gets used as a
fallback because that is convenient for CPAN - really, we should
always prefer the system's certificates.

Or, am I again "too far out, and not waving but drowning" ?  If so,
please advise soonest.

ĸen
-- 
                        Is it about a bicycle ?
-- 
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Reply via email to