On Tue, December 17, 2013 4:13 pm, Leif W wrote: > On Tuesday, December 17, 2013 6:02:32 PM UTC-5, Michael Shuler wrote: > > Attached is my little check script that I run from cron to check for new > > Thank you! My context for pulling the certdata.txt is from within the > mk-ca-bundle.pl (or .vbs) script from the cURL project, which has no > external dependencies. Pulling from an https presents a chicken and egg > problem so I'd have to use http. Others seem to use this script as well. >
That would be unfortunate for security for people to download a blob of certificates to trust over an unauthenticated channel. What could possibly go wrong there? > However, I was wary about pulling directly from a source repository versus > a release, in case of an erroneous commit or something. Presumably such a > thing would be caught fairly quick. Definitely caught by the next aurora > or nss release. Whereas, it may not be caught at the precise time > someone, somewhere in the world runs their copy of mk-ca-bundle.pl script. > > Is this a valid line of reasoning? If not, I'd be happy just pulling from > > http://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/certdata.txt > and pass that on as a somewhat official preferred source. :) > > Leif Can I recommend instead bundling it as part of cURL? Absolutely pulling the tip of tree is a Bad Idea - wait for a release. Likewise, pulling it over HTTP is a Bad Idea - use a secure transport. If you feel those are unreasonable, bundling it as part of cURL seems eminently more responsible and security conscious for users. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
