Mailinglist Archive: opensuse-packaging (104 mails)

< Previous Next >
Re: [opensuse-packaging] Packaging Godot
cunix wrote:
[...]
3. Is it perhaps unacceptable from a security point of view to have a
package in the openSUSE distribution, that doesn't use the users system
trust settings but is configured to always rely on the openSUSE defaults?
(Firefox does something similar but offers a UI to change them).

In general it's neither advisable to bundle CA certificates nor ssl
libraries. Firefox is a bit special as it basically is the reference for
the system CA certificates. By installing p11-kit-nss-trust which
replaces mozilla-nss-certs Firefox would also load the system wide
certs.

In case of godot looks like it's using openSSL. Not sure why they are
jumping through hoops to make godot read some built in CA bundle. Game
developers are hardly in the CA business so if I were them I'd stay away
from that as far as possible :-)
Anyways, as you can see in modules/openssl/stream_peer_openssl.cpp
there even is a commented call to SSL_CTX_load_verify_locations()
"for testing". Pretty close. Replace that with a call to
SSL_CTX_set_default_verify_paths(), reduce the built in bundle to
not contain any certs at all and you are done. godot will then rely on
openssl to read the system wide cert store.
If you make that a build time configure option you could even try to
get the change upstream.

cu
Ludwig

--
(o_ Ludwig Nussel
//\
V_/_ http://www.suse.com/
SUSE Linux GmbH, GF: Felix Imend├Ârffer, Jane Smithard,
Graham Norton, HRB 21284 (AG N├╝rnberg)
--
To unsubscribe, e-mail: opensuse-packaging+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-packaging+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups
References