Comments (12)
Hm, yes maybe that's an idea! But isn't that even better tracked in the upstream mercurial repo?
from ca-bundle.
It's not a 1:1 though there is processing and also just because they update on some frequency doesn't mean you will. It would be good to have a history of what is being distributed, whether it's here or in curl-www. In other words I'd like to be able to tell if at point in time x whether the website was distributing a bundle with certificate y
from ca-bundle.
Yeah. That's also a pretty good reason to consider something automatic in that fashion for my script on the site...
from ca-bundle.
I've now at least made the backend script on the curl site keep the old version when an updated one is received.
from ca-bundle.
Is there a way to authenticate that an attacker has not hacked into and uploaded a bad copy into https://curl.haxx.se/docs/caextract.html (assumes they can hack into the webserver, so the SSL encryption just proves it is coming from the webserver that was broken into)
Right now we checksum our downloads to detect tampering and every time that URL updates it is indistinguishable from the site getting backdoored, so our builds break.
The nice thing about this repo is that each new version is a new sha with a new url, so we can pin on a version and upgrade on our schedule and not have builds break when you push new content here.
We also do this with everything else that we download so that when ruby-2.3.1.tar.gz or whatever gets released we add the checksum to our configs and point at the new URL -- but the old ruby-2.3.0.tar.gz does not get broken when the upstream releases a new version.
And fundamentally https://curl.haxx.se/docs/caextract.html is an unversioned asset, which is bad. I really badly want a URL with a version string in it.
from ca-bundle.
Right, you don't know that curl.haxx.se wasn't broken into, but you also don't know that about github.com. And neither can actually know that the source Mozilla host hasn't been compromised in such a manner. Those are risks we need to accept I think.
The fact that caextract is unversioned is a mixed blessing. Most users appreciate that they can get the latest CA bundle with a fixed URL.
I intend to introduce "versioned" PEM files on the curl.haxx.se site as well, as the automated script actually now keeps formerly generated files as well. That will create fixed URLs to PEMs from dates in time when the remote bundle was updated.
I don't mind keeping this repo around for an indefinite time forward and I won't remove it anytime soon. The main downside with it is that it isn't fully automated so the commit/push of updated bundles are done manually. The curl web site version is fully automated and runs daily and thus catches up on upstream changes sooner.
from ca-bundle.
But the way that our system is, we explicitly don't trust you until we made a choice to bump the software. Until that point we're automatically validating checksums on downloads so we will break if there's any tampering in the URLs that we download. We could actually detect hostile backdoors that way. If someone hacks into github right now and somehow changes this repo so that the URL that we're downloading from has a cert which is effectively a backdoor then we'd see our checksums change and the build would break. The problem with the curl.haxx.se urls is that every time you publish a new one it causes the checksums to break.
We've engineered how we consume the ca-certs file to explicitly not accept those risks. And it works fine for pretty much everything we download except for the ca-certs bundle.
from ca-bundle.
The problem with the curl.haxx.se urls is that every time you publish a new one it causes the checksums to break.
Right, and then you discover that and fix it. If you don't discover the new bundle you keep using the outdated bundle... 😄
Anyway, I've made the caextract page on curl.haxx.se provide static URLs to specific bundles now that won't change over time.
from ca-bundle.
Right, and then you discover that and fix it. If you don't discover the new bundle you keep using the outdated bundle... :smile:
yeah, but we'd prefer to do it on our own timing...
Anyway, I've made the caextract page on curl.haxx.se provide static URLs to specific bundles now that won't change over time.
sweet, that's all that we need...
from ca-bundle.
Okay now this repo has no purpose 👍
from ca-bundle.
hehe, thanks. I don't have any immediate plans to take it anywhere though...
from ca-bundle.
yeah, peeps prolly have old references to it, you definitely shouldn't nuke it, but afaik you can close this issue... =)
from ca-bundle.
Related Issues (6)
- Cert file out of date HOT 20
- Feature request HOT 3
- sha1 of real file does not match that printing in the file HOT 3
- License out of date HOT 1
- cert file out of date HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ca-bundle.