Bug 11398 - use ca-certificate instead of rootcerts
Summary: use ca-certificate instead of rootcerts
Status: RESOLVED WONTFIX
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: All Packagers
QA Contact:
URL:
Whiteboard:
Keywords: Triaged
Depends on:
Blocks: 11665
  Show dependency treegraph
 
Reported: 2013-10-07 09:56 CEST by D Morgan
Modified: 2017-12-13 05:07 CET (History)
11 users (show)

See Also:
Source RPM: ca-certificate
CVE:
Status comment:


Attachments

Description D Morgan 2013-10-07 09:56:55 CEST
Description of problem:

we could follow fedora and make use of ca-certificate instead of rootcerts.

ca-certificates bundle rootcerts already.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.


Reproducible: 

Steps to Reproduce:
Comment 1 Manuel Hiebel 2013-10-07 12:13:38 CEST
did you replay to thread which was on the dev ml asking why this package ?

Source RPM: ca-certificate => (none)

Manuel Hiebel 2013-10-07 12:15:20 CEST

Keywords: (none) => Triaged
Summary: use ca-certificate => use ca-certificate instead of rootcerts
Source RPM: (none) => ca-certificate

Comment 2 Sander Lepik 2013-10-07 12:38:13 CEST
AFAIK he didn't and this is definitely a topic that should be discussed at dev ml first..

CC: (none) => mageia
Hardware: i586 => All

David Walser 2013-10-07 17:04:04 CEST

CC: (none) => luigiwalser, oe

Comment 3 Oden Eriksson 2013-10-08 10:11:11 CEST
FYI. The rootcerts package and the work of consolidating softwares using the /etc/pki/tls/certs/ca-bundle.crt was started by me back in 2005, after being inspired by the rootcerts updates in Microsoft. To my knowledge no other opensource based distro had implemented this at the time.

Now at least debian, suse and redhat has cought up, but are using their own implementations. A discussion was initiated some years ago to standardize this and use only one implementation, no consensus was made.

To piggyback on the redhat implementation would probably simplify this for Mageia, but what the impact would be is unknown to me. Maybe you will have to use all of their nss splits in order to benefit from this fully, or cherrypick the needed patches only.

There's a catch with these root CA certs and that is that many of them requires license agreements for distributing them. The best way to really see this is to examine the rootcerts updates in Microsoft who most certainly have all licensing in order. In the nmap source you can find a way to extract the rootcerts from Microsoft, and one option I thought of was to do just that instead of using the mozilla store, but...

Anyway, good luck with this switch.
Comment 4 D Morgan 2013-10-08 10:15:40 CEST
(In reply to Sander Lepik from comment #2)
> AFAIK he didn't and this is definitely a topic that should be discussed at
> dev ml first..

i talked with oden and Luigi12 about this, but my reply forgot dev ML.

I am not against started a thread, i did this bugreport as requested by Luigi12
David Walser 2013-11-13 22:10:48 CET

Blocks: (none) => 11665

Comment 5 Samuel Verschelde 2015-04-23 14:18:08 CEST
Has this discussion led somewhere?
Comment 6 David Walser 2015-04-23 14:26:18 CEST
Yes, in Bug 15027.  We've been in freeze for most of this millennium though, so nothing can be done yet.
Comment 7 Samuel Verschelde 2015-04-23 14:29:50 CEST
Is it possible to merge both bug reports, or can they be treated separately?
Comment 8 David Walser 2015-04-23 14:34:06 CEST
(In reply to Samuel VERSCHELDE from comment #7)
> Is it possible to merge both bug reports, or can they be treated separately?

They are actually separate issues, just related.  They'll be dealt with separately (I'll fix Bug 15027 first as that will be relatively easy).  This bug will be much more difficult.
Samuel Verschelde 2016-10-16 15:23:02 CEST

Assignee: bugsquad => pkg-bugs

Marja Van Waes 2016-10-16 22:23:17 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=15027

Neal Gompa 2017-10-29 02:44:56 CET

CC: (none) => ngompa13

Comment 9 Dieter Rogiest 2017-11-06 00:17:26 CET
am I the only one who uses google-chrome-beta on Mageia 6 ?
Since last week I can not update to the latest version because of:

Sorry, the following package cannot be selected:
- google-chrome-beta-63.0.3239.30-1.x86_64 (due to unsatisfied ca-certificates)

Doesn't this new requirement make this bug much more urgent?

CC: (none) => dieter.rogiest

Comment 10 David Walser 2017-11-06 00:25:58 CET
No, it's not urgent.  You can force the installation for now.
Comment 11 Marc Paré 2017-12-08 03:40:08 CET
I am also just getting this now with a Google Chrome update notice on my main Mageia box. The update shows the same error. I am also getting the same feedback from my approx. 40 or so "70-80 year-old Mageia users" that I help manage their systems as a volunteer. Some of them would rather use Google Chrome and are now confused as to what to do with this situation. 

It would be great if there were a seamless fix to this for any other Mageia just new to the Mageia scene. 

Marc

CC: (none) => marc

Comment 12 Thomas Backlund 2017-12-08 08:32:01 CET
How about as a quick fix, add ca-certificates as a virtual provide on our rootcerts package...

CC: (none) => tmb

Comment 13 Charles Edwards 2017-12-08 08:45:29 CET
(In reply to Thomas Backlund from comment #12)
> How about as a quick fix, add ca-certificates as a virtual provide on our
> rootcerts package...

That was done for cauldron in Oct. but it was not backported to either mga5
or mga6.

CC: (none) => cae

Comment 14 James Kerr 2017-12-08 14:44:05 CET
*** Bug 22144 has been marked as a duplicate of this bug. ***

CC: (none) => petlaw726

Comment 15 José Jorge 2017-12-08 17:58:52 CET
Closing this one if it is fixed in cauldron, and separating bug 22144 to push the update to MGA6.

CC: (none) => lists.jjorge
Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 16 w unruh 2017-12-11 15:32:40 CET
So, to be clear, if one installs rootcerts from cauldron into Mga6, this problem will not occur in Mga6?
Is there something delaying the backporting of the cauldron rootcerts into mga6?

CC: (none) => unruh

Comment 17 José Jorge 2017-12-11 17:50:41 CET
(In reply to w unruh from comment #16)
> So, to be clear, if one installs rootcerts from cauldron into Mga6, this
> problem will not occur in Mga6?

Yes, but this is not supported.

> Is there something delaying the backporting of the cauldron rootcerts into
> mga6?

Just the time to do it. It will be followed in the bug against MGA6.
Comment 18 David Walser 2017-12-13 02:57:26 CET
Just FYI, the bug marked a duplicate of this one isn't, just providing ca-certificates isn't the same thing as actually *being* the ca-certificates package from Fedora.  I'm no longer so certain that's a good idea anyway though.

Resolution: FIXED => WONTFIX

Comment 19 Charles Edwards 2017-12-13 04:14:57 CET
For all practical purposes our rootcerts rpm and the Fedora ca-certificates rpm
do the same job.

Both are mostly derived from Mozilla's root CA list (the file "certdata.txt").

Using rootcerts I have had no complaints of bad or missing certs when using
google-chrome-unstable rpms.
Comment 20 w unruh 2017-12-13 04:23:12 CET
Google chrome refuses to install. That is certainly a bug which SHOULD be fixed. In cauldon, the fix is that the rootcerts package is altered to also state that it provides fulfilment of the installation of the rootcerts package. comment 118 claims that this might cause unstated problems. 
a) Has the fix in cauldron been retracted?
b) What fix is proposed for Mga6 if not that in cauldron?
c) While "just providing ca-certificates isn't the same thing as actually *being* the ca-certificates package from Fedora" is certainly true, what  does it matter?
Does it fix the inability to install chrome? Does it cause other problems?

Refusing to fix MGA6 does not, to me, seem a reasonable option. And just stating that you can force the installation is useless since most users will not know what that means or how to do it, and do not know it is a possible fix (they will not read this confused bug report. And having Mageia state "We do not support the installation of Chrome" does not seem to do Mageia any favours.
Comment 21 David Walser 2017-12-13 04:34:50 CET
unruh, you completely misunderstood my comment.  This bug, Bug 11398, has absolutely nothing to do with Google Chrome.  This bug was about doing away with our rootcerts package and importing Fedora's ca-certificates package to replace it.  I was trying to clarify that, because most of the comments posted here from Comment 9 on, were about a completely different issue than what this bug was for, creating confusion.

The issue with Google Chrome has been filed as, and is being addressed in, Bug 22144, and a fix has already been built for it.  Nobody is refusing to fix anything here.
Comment 22 w unruh 2017-12-13 05:07:10 CET
Sorry about the misunderstanding. Your "won't fix" therefor refers to replacing the rootcerts package with ca-certificates from Fedora/Redhat/Debian. Yes, I notice in 22144 that you have ported the virtual provide of ca-certificates into Mga6. Thanks.

Note You need to log in before you can comment on or make changes to this bug.