Control: tag -1 moreinfo unreproducible On Thu, Apr 28, 2022 at 12:38:28PM -0400, S. Egbert wrote: > A group of auditors were reviewing the CA inclusion process
I.. don't know what the above means. > and have examined the `update-ca-certificates` and its code. > > This issue is not about the PKI nor its certificate handling. > > One auditor noticed that the ordering of looking for OpenSSL > executable file (`openssl`) seems ... counterintuitive? > > I would imagine that the correct ordering for searching this `openssl` > executable file be something like: > > 1. /usr/local/sbin/openssl > 2. /usr/local/bin/openssl > 3. /usr/sbin/openssl > 4. /usr/bin/openssl > > > The actually and current order by the latest `update-ca-certificates` > in looking for this `openssl` exectuable is currently: > > 1. $CWD/openssl > 2. /usr/local/bin/openssl > 3. /usr/local/sbin/openssl > 4. /usr/bin/openssl > 5. /usr/sbin/openssl > > Please note the inversal of `sbin` and `bin`. (The ordering of > `/usr`/`/usr/local` complies with FSSTD v2.3). > update-ca-certificates doesn't specify a path for openssl, it relies on $PATH being set, like most things. I don't see a bug here. Cheers, Julien

