On Sun, 2024-11-17 at 14:14 -0600, Chris Adams wrote: > Once upon a time, Neal Gompa <ngompa13@xxxxxxxxx> said: > > This file has to remain on the system for a completely different > > reason: other crypto libraries may and do probably use this file. It > > is unreasonable to delete what essentially is our certificate store > > API without going through and fixing *all* crypto libraries and > > applications that directly load the CA store themselves to work with > > it upstream. > > Yeah, there's nothing that says "this file is for OpenSSL's internal use > only". I know I've written code that references it. It's /etc/pki/tls, > not /etc/openssl-private-nobody-else-use; it gives all appearances of > being a shared file. On the whole, no, no other major crypto library relies on it that I'm aware of. nss uses its own stuff. gnutls *can* use the file at that location, but it's just one in a big list of candidates and it doesn't actually use it on Fedora. I started poking through references to the file on github a while ago and didn't yet find any significant ones that would not be OK somehow (it's usually referenced as part of a big list of candidates, and some other item on the list would still be present on Fedora if this location were removed). > > Also, there's not a way to test this (e.g. remove the cert.pem symlink > and see what breaks); the change says the speed-up is to use the > directory-hash format by default... but there's no hashes in > /etc/pki/tls/certs. Something needs to be managing those hashes > (creating, updating, deleting stale) BEFORE the bundle can be There are hashes there on my system. They're symlinks to /etc/pki/ca- trust/extracted/pem/directory-hash. Both ends of the symlink are owned by ca-certificates; I believe the symlinks are set up by its scriptlets. > > If the hashes directory (once populated) is also going to be considered > OpenSSL-only, it should be moved out from under /etc/pki/tls into a > directory that is obviously OpenSSL-only. The hashes actually live elsewhere (as per above), but changing our OPENSSLDIR on Fedora after like 20 years would be a huge change and probably not a great idea for all the reasons people are worried about doing *this*. -- Adam Williamson (he/him/his) Fedora QA Fedora Chat: @adamwill:fedora.im | Mastodon: @adamw@xxxxxxxxxxxxx https://www.happyassassin.net -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue