Path: csiph.com!fu-berlin.de!bofh.it!news.nic.it!robomod From: Vladimir Petko Newsgroups: linux.debian.maint.java Subject: Re: ca-certificate-java/openjdk installation issues Date: Tue, 21 Feb 2023 23:00:01 +0100 Message-ID: References: X-Mailbox-Line: From debian-java-request@lists.debian.org Tue Feb 21 21:56:34 2023 Old-Return-Path: X-Amavis-Spam-Status: No, score=-9.401 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FOURLA=0.1, LDO_WHITELIST=-5, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no X-Policyd-Weight: using cached result; rate: -5.5 X-Gm-Message-State: AO0yUKXZez3wGiJz1o+/LJNgzDJcK+cPMXKOMHd9PGVZAI6EzNna7Xae SQ7pvNl0ykQHyeQYG/VKHAUK7vRs4Ll5CfhgisvJr1gY5JeQ7MG0pn24lIIpQS4Y2P828yObuis ocNH6F5hLjTRTrUqP0820bjrQbZdFzbg5GLw3VpurMAGYA9KshU5B7rj6lsPA8Us= X-Received: by 2002:a17:902:7e41:b0:196:433e:2378 with SMTP id a1-20020a1709027e4100b00196433e2378mr817475pln.4.1677016569556; Tue, 21 Feb 2023 13:56:09 -0800 (PST) X-Google-SMTP-Source: AK7set9pDpXuumjAJGbqVJEy+B4IuucZfX1lfV12cKyC8qxEkIi/glEaLkwE5cxb2X+xye0g/gK82jH802j5pt4/oEc= X-Received: by 2002:a17:902:7e41:b0:196:433e:2378 with SMTP id a1-20020a1709027e4100b00196433e2378mr817474pln.4.1677016569223; Tue, 21 Feb 2023 13:56:09 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailing-List: archive/latest/23232 List-ID: List-URL: List-Archive: https://lists.debian.org/msgid-search/CALFf3kfRb7fi=wZUZtQdAq35YRudj0x=hHZ-ZyA8qTrX0MoxdA@mail.gmail.com Approved: robomod@news.nic.it Lines: 56 Organization: linux.* mail to news gateway Sender: robomod@news.nic.it X-Original-Cc: debian-java@lists.debian.org X-Original-Date: Wed, 22 Feb 2023 10:55:58 +1300 X-Original-Message-ID: X-Original-References: <665f66a6-347d-18ce-457a-548d7fcd2c@tarent.de> Xref: csiph.com linux.debian.maint.java:12577 Hi, I wonder if security guys will have some reservations abouts the pre-built root list. This will result in supplying two potentially different sources of trust and will require maintenance to keep those in sync. A possible scenario is CA being revoked, which results in an update to ca-certificates. If the same CA was present in the pre-built list, then ca-certificates-java needs to be updated at the same time. Best Regards, Vladimir. On Wed, Feb 22, 2023 at 10:30 AM Thorsten Glaser wrote= : > > On Wed, 22 Feb 2023, Vladimir Petko wrote: > > >Just a small clarification, openssl itself allows importing a single > >certificate and its chain and overwrites the store in the process, so > >we need something like p11-kit. > >Another grey area is ORACLE_TrustedKeyUsage attribute - at the moment > > Ugh. > > How about doing it the =E2=80=9Clow-tech=E2=80=9D way: > > =E2=80=93 ship a minimal JKS keystore with bin:ca-certificates-java, > generated at build time, that contains a manually vetted > list of roots, perhaps just what=E2=80=99s relevant for Debian > =E2=80=93 use a Recommends to get at a JRE > =E2=80=93 with trigger, generate a full keystore, once a JRE is there > > (The shipped one would need to be in /usr/share/!(doc) and > copied so overwriting it with the generated one works and > we=E2=80=99ll probably need to track hashes of shipped ones so we > can honour admin choices to override the keystore if needed.) > > bye, > //mirabilos > -- > Infrastrukturexperte =E2=80=A2 tarent solutions GmbH > Am Dickobskreuz 10, D-53121 Bonn =E2=80=A2 http://www.tarent.de/ > Telephon +49 228 54881-393 =E2=80=A2 Fax: +49 228 54881-235 > HRB AG Bonn 5168 =E2=80=A2 USt-ID (VAT): DE122264941 > Gesch=C3=A4ftsf=C3=BChrer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, A= lexander Steeg > > *************************************************= *** > /=E2=81=80\ The UTF-8 Ribbon > =E2=95=B2 =E2=95=B1 Campaign against Mit dem tarent-Newsletter nicht= s mehr verpassen: > =E2=95=B3 HTML eMail! Also, https://www.tarent.de/newsletter > =E2=95=B1 =E2=95=B2 header encryption! > *************************************************= ***