Control: tag -1 moreinfo unreproducible

On Thu, Apr 28, 2022 at 12:38:28PM -0400, S. Egbert wrote:
> A group of auditors were reviewing the CA inclusion process

I.. don't know what the above means.

> and have examined the `update-ca-certificates` and its code.
> 
> This issue is not about the PKI nor its certificate handling.
> 
> One auditor noticed that the ordering of looking for OpenSSL
> executable file (`openssl`) seems ... counterintuitive?
> 
> I would imagine that the correct ordering for searching this `openssl`
> executable file be something like:
> 
> 1.  /usr/local/sbin/openssl
> 2.  /usr/local/bin/openssl
> 3.  /usr/sbin/openssl
> 4.  /usr/bin/openssl
> 
> 
> The actually and current order by the latest `update-ca-certificates`
> in looking for this `openssl` exectuable is currently:
> 
> 1.  $CWD/openssl 
> 2.  /usr/local/bin/openssl
> 3.  /usr/local/sbin/openssl
> 4.  /usr/bin/openssl
> 5.  /usr/sbin/openssl
> 
> Please note the inversal of `sbin` and `bin`.  (The ordering of
> `/usr`/`/usr/local` complies with FSSTD v2.3).
> 
update-ca-certificates doesn't specify a path for openssl, it relies on
$PATH being set, like most things.

I don't see a bug here.

Cheers,
Julien

Reply via email to