Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.java > #12577

Re: ca-certificate-java/openjdk installation issues

Path csiph.com!fu-berlin.de!bofh.it!news.nic.it!robomod
From Vladimir Petko <vladimir.petko@canonical.com>
Newsgroups linux.debian.maint.java
Subject Re: ca-certificate-java/openjdk installation issues
Date Tue, 21 Feb 2023 23:00:01 +0100
Message-ID <G1IQ1-7ycD-7@gated-at.bofh.it> (permalink)
References <FWBFv-4dUm-5@gated-at.bofh.it> <G1HqW-7xt9-5@gated-at.bofh.it> <G1I3D-7xWb-13@gated-at.bofh.it> <G1IwF-7y5I-11@gated-at.bofh.it>
X-Mailbox-Line From debian-java-request@lists.debian.org Tue Feb 21 21:56:34 2023
Old-Return-Path <vladimir.petko@canonical.com>
X-Amavis-Spam-Status No, score=-9.401 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FOURLA=0.1, LDO_WHITELIST=-5, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
X-Policyd-Weight using cached result; rate: -5.5
X-Gm-Message-State AO0yUKXZez3wGiJz1o+/LJNgzDJcK+cPMXKOMHd9PGVZAI6EzNna7Xae SQ7pvNl0ykQHyeQYG/VKHAUK7vRs4Ll5CfhgisvJr1gY5JeQ7MG0pn24lIIpQS4Y2P828yObuis ocNH6F5hLjTRTrUqP0820bjrQbZdFzbg5GLw3VpurMAGYA9KshU5B7rj6lsPA8Us=
X-Received by 2002:a17:902:7e41:b0:196:433e:2378 with SMTP id a1-20020a1709027e4100b00196433e2378mr817475pln.4.1677016569556; Tue, 21 Feb 2023 13:56:09 -0800 (PST)
X-Google-SMTP-Source AK7set9pDpXuumjAJGbqVJEy+B4IuucZfX1lfV12cKyC8qxEkIi/glEaLkwE5cxb2X+xye0g/gK82jH802j5pt4/oEc=
X-Received by 2002:a17:902:7e41:b0:196:433e:2378 with SMTP id a1-20020a1709027e4100b00196433e2378mr817474pln.4.1677016569223; Tue, 21 Feb 2023 13:56:09 -0800 (PST)
MIME-Version 1.0
Content-Type text/plain; charset="UTF-8"
Content-Transfer-Encoding quoted-printable
X-Mailing-List <debian-java@lists.debian.org> archive/latest/23232
List-ID <debian-java.lists.debian.org>
List-URL <https://lists.debian.org/debian-java/>
List-Archive https://lists.debian.org/msgid-search/CALFf3kfRb7fi=wZUZtQdAq35YRudj0x=hHZ-ZyA8qTrX0MoxdA@mail.gmail.com
Approved robomod@news.nic.it
Lines 56
Organization linux.* mail to news gateway
Sender robomod@news.nic.it
X-Original-Cc debian-java@lists.debian.org
X-Original-Date Wed, 22 Feb 2023 10:55:58 +1300
X-Original-Message-ID <CALFf3kfRb7fi=wZUZtQdAq35YRudj0x=hHZ-ZyA8qTrX0MoxdA@mail.gmail.com>
X-Original-References <CALFf3kckwyx6X93=1JNjcnBdyctJe9AtfXYQsOoJf5qeUUjNEw@mail.gmail.com> <c2ec8737fb5a03f1039a2e90ab925594@apache.org> <CALFf3kdPbsbF-TJkPTF6VaQXphy-xCKiJ9WRLFk6KRD-OsufWg@mail.gmail.com> <665f66a6-347d-18ce-457a-548d7fcd2c@tarent.de>
Xref csiph.com linux.debian.maint.java:12577

Show key headers only | View raw

Hi,

 I wonder if security guys will have some reservations abouts the
pre-built root list. This will result in supplying two potentially
different sources of trust and will require maintenance to keep those
in sync. A possible scenario is CA being revoked, which results in an
update to ca-certificates. If the same CA was present in the pre-built
list, then ca-certificates-java needs to be updated at the same time.

Best Regards,
 Vladimir.

On Wed, Feb 22, 2023 at 10:30 AM Thorsten Glaser <t.glaser@tarent.de> wrote:
>
> On Wed, 22 Feb 2023, Vladimir Petko wrote:
>
> >Just a small clarification, openssl itself allows importing a single
> >certificate and its chain and overwrites the store in the process, so
> >we need something like p11-kit.
> >Another grey area is ORACLE_TrustedKeyUsage attribute - at the moment
>
> Ugh.
>
> How about doing it the “low-tech” way:
>
> – ship a minimal JKS keystore with bin:ca-certificates-java,
>   generated at build time, that contains a manually vetted
>   list of roots, perhaps just what’s relevant for Debian
> – use a Recommends to get at a JRE
> – with trigger, generate a full keystore, once a JRE is there
>
> (The shipped one would need to be in /usr/share/!(doc) and
> copied so overwriting it with the generated one works and
> we’ll probably need to track hashes of shipped ones so we
> can honour admin choices to override the keystore if needed.)
>
> bye,
> //mirabilos
> --
> Infrastrukturexperte • tarent solutions GmbH
> Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/
> Telephon +49 228 54881-393 • Fax: +49 228 54881-235
> HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
> Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg
>
>                         ****************************************************
> /⁀\ The UTF-8 Ribbon
> ╲ ╱ Campaign against      Mit dem tarent-Newsletter nichts mehr verpassen:
>  ╳  HTML eMail! Also,     https://www.tarent.de/newsletter
> ╱ ╲ header encryption!
>                         ****************************************************

Back to linux.debian.maint.java | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-07 20:20 +0100
  Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-07 20:40 +0100
    Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-07 20:40 +0100
    Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-07 21:10 +0100
  Re: ca-certificate-java/openjdk installation issues Emmanuel Bourg <ebourg@apache.org> - 2023-02-21 21:30 +0100
    Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-21 21:40 +0100
    Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-21 22:10 +0100
      Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-21 22:40 +0100
        Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-21 23:00 +0100
          Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-21 23:00 +0100
            Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-21 23:40 +0100
              Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-22 00:00 +0100
              Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-22 00:00 +0100
                Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-23 04:00 +0100
                Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-23 20:50 +0100
                Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-23 21:00 +0100
                Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-23 21:00 +0100
                Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-24 05:20 +0100
                Re: ca-certificate-java/openjdk installation issues Thorsten Glaser <t.glaser@tarent.de> - 2023-02-24 06:30 +0100
                Re: ca-certificate-java/openjdk installation issues Vladimir Petko <vladimir.petko@canonical.com> - 2023-02-27 08:20 +0100

csiph-web