Mailinglist Archive: opensuse-packaging (104 mails)

< Previous Next >
Re: [opensuse-packaging] Packaging Godot
The current build of Godot is set to use openSUSE’s openssl library. The
"thirdparty/certs/ca-certificates.crt" file is used to generate a C-header file
to be compiled into the program. The ca-certificates.crt file was pulled from
an install of Fedora.

See:
* https://github.com/godotengine/godot/blob/master/editor/SCsub#L65
*
https://github.com/godotengine/godot/blob/master/editor/editor_builders.py#L12-L35

With cunix’s method, Godot would be updated whenever the ca-certificates
packages were updated.

As Simon Lees said, we will have to open up a ticket with the security team to
get their opinion.

Max Mitschke


On Aug 27, 2018, at 3:46 AM, Ludwig Nussel <ludwig.nussel@xxxxxxx> wrote:

cunix wrote:
[...]
3. Is it perhaps unacceptable from a security point of view to have a
package in the openSUSE distribution, that doesn't use the users system
trust settings but is configured to always rely on the openSUSE defaults?
(Firefox does something similar but offers a UI to change them).

In general it's neither advisable to bundle CA certificates nor ssl
libraries. Firefox is a bit special as it basically is the reference for
the system CA certificates. By installing p11-kit-nss-trust which
replaces mozilla-nss-certs Firefox would also load the system wide
certs.

In case of godot looks like it's using openSSL. Not sure why they are
jumping through hoops to make godot read some built in CA bundle. Game
developers are hardly in the CA business so if I were them I'd stay away
from that as far as possible :-)
Anyways, as you can see in modules/openssl/stream_peer_openssl.cpp
there even is a commented call to SSL_CTX_load_verify_locations()
"for testing". Pretty close. Replace that with a call to
SSL_CTX_set_default_verify_paths(), reduce the built in bundle to
not contain any certs at all and you are done. godot will then rely on
openssl to read the system wide cert store.
If you make that a build time configure option you could even try to
get the change upstream.

cu
Ludwig

--
(o_ Ludwig Nussel
//\
V_/_ http://www.suse.com/
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard,
Graham Norton, HRB 21284 (AG Nürnberg)
--
To unsubscribe, e-mail: opensuse-packaging+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-packaging+owner@xxxxxxxxxxxx


--
To unsubscribe, e-mail: opensuse-packaging+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-packaging+owner@xxxxxxxxxxxx

< Previous Next >
References