Re: RFC: raising ca-certificates package Priority to standard or important
https://www.eff.org/https-everywhere https is getting everywhere. If you don't have ca's you cannot process them properly. I think https working is going to be important even for almost all embedded cases. Most iot deployments include something like calling the mothership, which ought to be https... apt is generally https. I guess priority-wise it should be considered part of TLS or libSSL so that whenever one of those is installed, the ca's are also installed. Again... omitting TLS makes something so crippled as to be next to useless... it's like omitting networking entirely at this point. On Fri, Jan 22, 2021 at 6:38 AM Steve McIntyre wrote: > Hey Julien, > > On Fri, Jan 22, 2021 at 12:00:56PM +0100, Julien Cristau wrote: > >On Thu, Jan 21, 2021 at 02:47:25PM -0300, Antonio Terceiro wrote: > >> On Thu, Jan 21, 2021 at 03:10:47PM +0100, Julien Cristau wrote: > >> > And which of standard or important made most sense (AIUI, standard > >> > means "installed by default in d-i" and important means "installed by > >> > default in debootstrap"). > >> > >> wget is already Priority: standard and recommends ca-certificates, so it > >> seems to me that making it standard would be a noop in practice for most > >> of the systems installed by d-i. > >> > >> On the other hand, all cases that I remember seeing a problem caused by > >> missing ca-certificates was in systems not installed by d-i, such as > >> containers, vm images, etc. Based on that, I would make it important. > > > >Here's my thinking on this: > >I would expect "standard" to get installed on "general purpose" VM > >images, and "important" *not* to get installed on "minimal" container or > >VM images. Looking at the docker debian image build script just now[1], > >it seems to pull in required packages + iproute2 and ping, so it has its > >own selection that doesn't include "important" priority. So changing > >the severity, by itself, won't change anything unless we go all the way > >to "required" which feels like it'd be going too far (but then I also > >don't think apt should be "required"). > >If there are specific examples where you think "important" would help > >I'd be interested; right now I'm sort of favouring "standard" as good > >enough. > > Sounds like good logic to me. > > Thanks for looking into this! > > -- > Steve McIntyre, Cambridge, UK. > st...@einval.com > Can't keep my eyes from the circling sky, > Tongue-tied & twisted, Just an earth-bound misfit, I... > >
Re: RFC: raising ca-certificates package Priority to standard or important
Hey Julien, On Fri, Jan 22, 2021 at 12:00:56PM +0100, Julien Cristau wrote: >On Thu, Jan 21, 2021 at 02:47:25PM -0300, Antonio Terceiro wrote: >> On Thu, Jan 21, 2021 at 03:10:47PM +0100, Julien Cristau wrote: >> > And which of standard or important made most sense (AIUI, standard >> > means "installed by default in d-i" and important means "installed by >> > default in debootstrap"). >> >> wget is already Priority: standard and recommends ca-certificates, so it >> seems to me that making it standard would be a noop in practice for most >> of the systems installed by d-i. >> >> On the other hand, all cases that I remember seeing a problem caused by >> missing ca-certificates was in systems not installed by d-i, such as >> containers, vm images, etc. Based on that, I would make it important. > >Here's my thinking on this: >I would expect "standard" to get installed on "general purpose" VM >images, and "important" *not* to get installed on "minimal" container or >VM images. Looking at the docker debian image build script just now[1], >it seems to pull in required packages + iproute2 and ping, so it has its >own selection that doesn't include "important" priority. So changing >the severity, by itself, won't change anything unless we go all the way >to "required" which feels like it'd be going too far (but then I also >don't think apt should be "required"). >If there are specific examples where you think "important" would help >I'd be interested; right now I'm sort of favouring "standard" as good >enough. Sounds like good logic to me. Thanks for looking into this! -- Steve McIntyre, Cambridge, UK.st...@einval.com Can't keep my eyes from the circling sky, Tongue-tied & twisted, Just an earth-bound misfit, I...
Re: RFC: raising ca-certificates package Priority to standard or important
Hi Antonio, On Thu, Jan 21, 2021 at 02:47:25PM -0300, Antonio Terceiro wrote: > On Thu, Jan 21, 2021 at 03:10:47PM +0100, Julien Cristau wrote: > > And which of standard or important made most sense (AIUI, standard > > means "installed by default in d-i" and important means "installed by > > default in debootstrap"). > > wget is already Priority: standard and recommends ca-certificates, so it > seems to me that making it standard would be a noop in practice for most > of the systems installed by d-i. > > On the other hand, all cases that I remember seeing a problem caused by > missing ca-certificates was in systems not installed by d-i, such as > containers, vm images, etc. Based on that, I would make it important. Here's my thinking on this: I would expect "standard" to get installed on "general purpose" VM images, and "important" *not* to get installed on "minimal" container or VM images. Looking at the docker debian image build script just now[1], it seems to pull in required packages + iproute2 and ping, so it has its own selection that doesn't include "important" priority. So changing the severity, by itself, won't change anything unless we go all the way to "required" which feels like it'd be going too far (but then I also don't think apt should be "required"). If there are specific examples where you think "important" would help I'd be interested; right now I'm sort of favouring "standard" as good enough. [1] https://github.com/debuerreotype/debuerreotype/blob/master/examples/debian.sh Cheers, Julien
Re: RFC: raising ca-certificates package Priority to standard or important
On Thu, Jan 21, 2021 at 03:10:47PM +0100, Julien Cristau wrote: > And which of standard or important made most sense (AIUI, standard > means "installed by default in d-i" and important means "installed by > default in debootstrap"). wget is already Priority: standard and recommends ca-certificates, so it seems to me that making it standard would be a noop in practice for most of the systems installed by d-i. On the other hand, all cases that I remember seeing a problem caused by missing ca-certificates was in systems not installed by d-i, such as containers, vm images, etc. Based on that, I would make it important. signature.asc Description: PGP signature
Re: RFC: raising ca-certificates package Priority to standard or important
On Jan 21, Julien Cristau wrote: > So I'd like to raise the priority of ca-certificates from optional to > at least standard, as a signal that it should be installed on Good idea: I think that "standard" is appropriate. -- ciao, Marco signature.asc Description: PGP signature
RFC: raising ca-certificates package Priority to standard or important
[bcc: {openssl,ca-certificates}@packages.d.o] Hi, the ca-certificates package is currently "Priority: optional", like most of the archive. It's Recommended by a bunch of packages, Depended on by an equivalent number, but I'm not sure if this is optimal. I suspect most packages can be configured to use a different trust store; and that in many deployments you may want to use a private PKI, or limit trust to a specific subset of the global public CAs, so in that sense `Depends' on ca-certificates is not quite correct. On the other hand it's less likely to run into "user disabled Recommends, and run into unexpected TLS server auth failures" kind of situations. So I'd like to raise the priority of ca-certificates from optional to at least standard, as a signal that it should be installed on non-minimal Debian systems. I'll note that ca-certificates depends on the openssl binary package which would thus effectively also become standard (or important, if we go that route), if it isn't already. Before asking ftpmasters to make that change I wanted to ask this group if there were downsides to it that I haven't considered. And which of standard or important made most sense (AIUI, standard means "installed by default in d-i" and important means "installed by default in debootstrap"). Thanks, Julien