Package: ca-certificates
Version: 20140325
Severity: wishlist
Entries of NEWS.Debian are displayed by apt-listchanges. Having used testing
for a decade with both apt-listchanges and ca-certificates installed, I have
been shown such entries relatively often. Since ca-certificates is installed on
about 96% of Debian installs, I must not be the only person who noticed these.
I rarely see multiple NEWS entries from packages which I never directly
interact with. ca-certificates is one package I never had to install, remove,
upgrade, downgrade, fix, or even learn about, yet it has 17 entries in 10
years. In fact, ca-certificates is the biggest NEWS.Debian user of all packages
installed on my machine (disregarding the package's age - zgrep -hc urgency
/usr/share/doc/*/NEWS.Debian*|sort -g).
After examination of the entries, I do not think that this usage is optimal. First of
all, as NEWS entries of packages for "users" can be displayed to system
administrators of various proficiency, entries should be worded clearly. The latest entry
illustrates that this aspect is deficient for ca-certificates:
ca-certificates (20140325) unstable; urgency=medium
Update mozilla/certdata.txt to version 1.97+revert_of_936304
Mozilla reverted the removal of 1024-bit root certificates for
Entrust.net, GTE CyberTrust, and ValiCert (RSA), but did not update the
version number in nssckbi.h.
Certificates added (+) (none removed):
+ "Entrust.net Secure Server CA"
+ "GTE CyberTrust Global Root"
+ "RSA Root Certificate 1"
+ "ValiCert Class 1 VA"
+ "ValiCert Class 2 VA"
Even as a longtime Debian contributor, I have to focus quite a while before
developing some understanding of what this might mean. Hopefully I understood
the right thing (I think that means the 5 certificates mentioned were added).
This description may be fine for the changelog (and better than a simplified
version), but will surely lose most readers in NEWS.Debian.
I recognize that there are presumably security implications to changing the set
of certificates. I suppose adding certificates facilitates phishing, but unless
I'm missing something, trusting a phony certificate can't directly cause an
exploit. I suppose removing certificates may confuse users and *perhaps* break
automated scripts. I suppose a small number of administrators appreciate having
a way to follow every change to the list of certificates. That being said,
there are lots of changes in Debian. We can only afford to display those which
we know would cause the most problematic unexpected issues. The risks should be
compared with the costs. People particularly concerned about certificates can
read the changelog when they upgrade the package. Also, since packages aren't
upgraded at random times, system administrators should be monitoring a system
more just after an upgrade, so potential issues can be expected to be less
costly.
I leave it to experts to decide how to react, but I feel that certificate
additions should not be mentioned, while I'm not sure that removals deserve
mention. Use of judgment may also be warranted (a change affecting a top CA
could be treated differently). If some mentions are kept, it would be great to
phrase entries so that readers understand what issues a change could cause.
--
Filipus Klutiero
http://www.philippecloutier.com
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
