cunix wrote:
[...] 3. Is it perhaps unacceptable from a security point of view to have a package in the openSUSE distribution, that doesn't use the users system trust settings but is configured to always rely on the openSUSE defaults? (Firefox does something similar but offers a UI to change them).
In general it's neither advisable to bundle CA certificates nor ssl libraries. Firefox is a bit special as it basically is the reference for the system CA certificates. By installing p11-kit-nss-trust which replaces mozilla-nss-certs Firefox would also load the system wide certs. In case of godot looks like it's using openSSL. Not sure why they are jumping through hoops to make godot read some built in CA bundle. Game developers are hardly in the CA business so if I were them I'd stay away from that as far as possible :-) Anyways, as you can see in modules/openssl/stream_peer_openssl.cpp there even is a commented call to SSL_CTX_load_verify_locations() "for testing". Pretty close. Replace that with a call to SSL_CTX_set_default_verify_paths(), reduce the built in bundle to not contain any certs at all and you are done. godot will then rely on openssl to read the system wide cert store. If you make that a build time configure option you could even try to get the change upstream. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.com/ SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org