Le vendredi 08 février 2013 à 16:54 +0100, Miloslav Trmač a écrit : > Hello, > On Fri, Feb 8, 2013 at 12:41 PM, Michael Scherer <misc@xxxxxxxx> wrote: > > > > - ban all certificates if used to validate something. > I think this is too strict; there may be legitimate cases of > service-specific CAs; there even are projects that use the X.509 > certificate format for something completely unrelated to the global CA > universe. Requiring an exception or an independent review may be > fine. Of course, when i mean "ban all", I mean "unless exceptions". And finding those potential exceptions is also one reason to have this thread :) > > We cannot automate that test, since private key and certificates are > > often used in tests suite. And as long as this is just used for testing > > purpose, the certificate should be ok. > Wouldn't this be handled by only checking the binary packages, and > allowing private keys/certificates in SRPMs? Shipping test suites is > usually not that valuable (... speaking as an owner of a package that > does ship a test suite :) It will be dropped soon). Usually, the test end in %doc, so maybe that's something that can be used. Sometimes, that's also used as example ( see the various perl modules shipping a cert ). Even if I can imagine people using the example to setup a service and end with a non private key. Not sure if we whould prevent that or just let darwin do his job... > If people want to look at > > affected packages, there is > > # yum whatprovides '*pem' > That's quite a few :( Don't forget about other formats - .der, .p12 > at least; possibly also the native NSS and Java formats. I will add .dev and .p12. For the native formats, I am not a certificate specialist, so I will have to look and see what can be done. -- Michael Scherer -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
