Re: Bug#619059: ITP: libmozilla-ca-perl -- Mozilla's CA cert bundle in PEM format

To: 619059@bugs.debian.org
Cc: debian-perl@lists.debian.org
Subject: Re: Bug#619059: ITP: libmozilla-ca-perl -- Mozilla's CA cert bundle in PEM format
From: Florian Ragwitz <rafl@debian.org>
Date: Tue, 22 Mar 2011 13:59:37 +0100
Message-id: <87fwqf71l2.fsf@tardis.home.perldition.org>
In-reply-to: <4D8670EF.5010106@periapt.co.uk> (Nicholas Bamber's message of "Sun, 20 Mar 2011 21:26:07 +0000")
References: <4D8670EF.5010106@periapt.co.uk>

Nicholas Bamber <nicholas@periapt.co.uk> writes:

> Package: wnpp
> Owner: Nicholas Bamber <nicholas@periapt.co.uk>
> Severity: wishlist
> X-Debbugs-CC: debian-devel@lists.debian.org,debian-perl@lists.debian.org
>
> * Package name    : libmozilla-ca-perl
>   Version         : 20110301
>   Upstream Author : Gisle Aas <gisle@activestate.com>
> * URL             : http://search.cpan.org/dist/Mozilla-CA/
> * License         : MPL-1.1 or GPL-2+ or LGPL-2.1+
>   Programming Lang: Perl
>   Description     : Mozilla's CA cert bundle in PEM format
>
> Mozilla::CA provides a copy of Mozilla's bundle of Certificate Authority
> certificates in a form that can be consumed by modules and libraries based on
> OpenSSL.

I'm assuming your motivation for packaging this is the latest release of
libwww-perl using this module for SSL trust chain validation when using
https.

I'm writing this email in order to point out that what makes sense for
CPAN isn't necessarily the right thing to do for downstream
distributions.

LWP decided to validate SSL certificates. For that it needs a list of
trusted certificate authorities. With the way we distribute software on
CPAN right now, we don't have a way of actually asking the user about
what authorities he'd like to trust. LWP kind of took the easy route and
just went with Mozilla::CA and trusts every authority Mozilla trusts,
without giving the user much of a chance to customise things, unless
he's willing to maintain a local directory containing trusted CAs and
changing his code to use that in favour of the one provided by
Mozilla::CA.

In Debian, we already have a more convenient way to ship CA certificates
and give the local administrator the possibility to trust or not trust
the included authorities individually and to easily add new trusted
authorities not already provided by Debian. The infrastructure for that
exists in the ca-authorities package.

I'd like you to consider modifying LWP for Debian so it'll make use of
the infrastructure we already have. I haven't actually investigated how
involved the customisations for that would have to be, but I have a
strong suspicion that it's going to end up being quite minimal and
easily maintainable in the long run.

In case that turns out to be false, the upstream maintainers of the
related CPAN distributions, libwww-perl, IO-Socket-SSL, and Net-SSLeay,
are generally open to patches and I'm sure they'd also be very open to
working with downstreams such as Debian in order to make this sort of
customisation even easier, if need be.

Attachment: pgpA_I9nRIMJ8.pgp
Description: PGP signature

Reply to:

References:
- Bug#619059: ITP: libmozilla-ca-perl -- Mozilla's CA cert bundle in PEM format
  - From: Nicholas Bamber <nicholas@periapt.co.uk>

Prev by Date: Re: Copyright and License Guidelines
Next by Date: Re: Copyright and License Guidelines
Previous by thread: Bug#619059: ITP: libmozilla-ca-perl -- Mozilla's CA cert bundle in PEM format
Next by thread: Bug#619079: ITP: libobject-tiny-perl -- module for building classes, simply
Index(es):
- Date
- Thread