Nicholas Bamber <email@example.com> writes: > Package: wnpp > Owner: Nicholas Bamber <firstname.lastname@example.org> > Severity: wishlist > X-Debbugs-CC: email@example.com,firstname.lastname@example.org > > * Package name : libmozilla-ca-perl > Version : 20110301 > Upstream Author : Gisle Aas <email@example.com> > * URL : http://search.cpan.org/dist/Mozilla-CA/ > * License : MPL-1.1 or GPL-2+ or LGPL-2.1+ > Programming Lang: Perl > Description : Mozilla's CA cert bundle in PEM format > > Mozilla::CA provides a copy of Mozilla's bundle of Certificate Authority > certificates in a form that can be consumed by modules and libraries based on > OpenSSL. I'm assuming your motivation for packaging this is the latest release of libwww-perl using this module for SSL trust chain validation when using https. I'm writing this email in order to point out that what makes sense for CPAN isn't necessarily the right thing to do for downstream distributions. LWP decided to validate SSL certificates. For that it needs a list of trusted certificate authorities. With the way we distribute software on CPAN right now, we don't have a way of actually asking the user about what authorities he'd like to trust. LWP kind of took the easy route and just went with Mozilla::CA and trusts every authority Mozilla trusts, without giving the user much of a chance to customise things, unless he's willing to maintain a local directory containing trusted CAs and changing his code to use that in favour of the one provided by Mozilla::CA. In Debian, we already have a more convenient way to ship CA certificates and give the local administrator the possibility to trust or not trust the included authorities individually and to easily add new trusted authorities not already provided by Debian. The infrastructure for that exists in the ca-authorities package. I'd like you to consider modifying LWP for Debian so it'll make use of the infrastructure we already have. I haven't actually investigated how involved the customisations for that would have to be, but I have a strong suspicion that it's going to end up being quite minimal and easily maintainable in the long run. In case that turns out to be false, the upstream maintainers of the related CPAN distributions, libwww-perl, IO-Socket-SSL, and Net-SSLeay, are generally open to patches and I'm sure they'd also be very open to working with downstreams such as Debian in order to make this sort of customisation even easier, if need be.
Description: PGP signature