Re: git and https

To: debian-devel@lists.debian.org
Subject: Re: git and https
From: Steve Langasek <vorlon@debian.org>
Date: Fri, 29 May 2015 11:17:03 -0700
Message-id: <[🔎] 20150529181703.GB6223@virgil.dodds.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20150529222109.042b5bf833587bdcfaa85e8c@bitmessage.ch>
References: <[🔎] 55631103.3020200@zoho.com> <[🔎] 20150525183805.GA2452@x> <[🔎] 20150527080835.GA20359@grep.be> <[🔎] 20150527160230.GA1068@jtriplet-mobl1> <[🔎] 87pp5l5l8p.fsf@hope.eyrie.org> <[🔎] 1432852719-sup-2275@fewbar.com> <[🔎] 87oal4xocb.fsf@hope.eyrie.org> <[🔎] CAKTje6HWjHs3MheHeSnkYEijp_yEMFP6QPiiUCC-RbpyX3TSEQ@mail.gmail.com> <[🔎] 20150529222109.042b5bf833587bdcfaa85e8c@bitmessage.ch>

On Fri, May 29, 2015 at 10:21:09PM +1000, Riley Baird wrote:
> On Fri, 29 May 2015 13:55:31 +0800
> Paul Wise <pabs@debian.org> wrote:

> > > If we can use a Debian-specific CA, we can do cert pinning, since we're
> > > then assuming we have some control over the client.  I was assuming a
> > > general client where we'd have to play nice with the normal CA roots.

> > Then we would constantly get complaints from Ubuntu/etc
> > developers/users about why Debian uses invalid certs, as we did before
> > Debian moved to mafia certs. Unfortunately I don't think it is
> > possible to use both mafia CAs and non-mafia CAs without adding say a
> > lot of non-mafia subdomains, like non-mafia.www.debian.org.

> If having to manually add a CA annoys the Ubuntu developers that
> much, then surely they could just include the Debian CA certificate to
> Ubuntu's default?

It is my understanding that no, Ubuntu could not, because Ubuntu ships
firefox; and one of the things that's disallowed by Mozilla when using the
firefox trademark is extending the set of trusted CAs (for actually rather
good reason).

Even if this were permissible to do while shipping firefox, it's not
something that Ubuntu would entertain lightly.  You can make a case that
because Ubuntu derives much of its code from Debian, Debian is already
"ultimately trusted" and there is no reason that this should not extend to
inclusion of a CA.  However, CAs are tricky things with lots of
poorly-understood requirements around their management, and I don't think
Ubuntu would want to enable such a CA without some additional assurances
about the kinds of CA-specific things that don't obviously fall out from
Debian's already excellent archive management practices.  The only thing
worse than trusting one exploitable CA regime in your OS is trusting *two*
exploitable CA regimes in your OS.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: git and https
  - From: Riley Baird <BM-2cVqnDuYbAU5do2DfJTrN7ZbAJ246S4Xix@bitmessage.ch>

References:
- git and https
  - From: "Rebecca N. Palmer" <rebecca_palmer@zoho.com>
- Re: git and https
  - From: Josh Triplett <josh@joshtriplett.org>
- Re: git and https
  - From: Wouter Verhelst <wouter@debian.org>
- Re: git and https
  - From: Josh Triplett <josh@joshtriplett.org>
- Re: git and https
  - From: Russ Allbery <rra@debian.org>
- Re: git and https
  - From: Clint Byrum <spamaps@debian.org>
- Re: git and https
  - From: Russ Allbery <rra@debian.org>
- Re: git and https
  - From: Paul Wise <pabs@debian.org>
- Re: git and https
  - From: Riley Baird <BM-2cVqnDuYbAU5do2DfJTrN7ZbAJ246S4Xix@bitmessage.ch>

Prev by Date: Bug#787209: ITP: mauve-aligner -- multiple genome alignment
Next by Date: Re: git and https
Previous by thread: Re: git and https
Next by thread: Re: git and https
Index(es):
- Date
- Thread