Mailinglist Archive: opensuse-packaging (104 mails)

< Previous Next >
Re: [opensuse-packaging] Packaging Godot
[Full quote to push previous message to Rémi, who might not be subscribed]

Ludwig Nussel:
cunix wrote:
[...]
3. Is it perhaps unacceptable from a security point of view to have a
package in the openSUSE distribution, that doesn't use the users system
trust settings but is configured to always rely on the openSUSE defaults?
(Firefox does something similar but offers a UI to change them).

In general it's neither advisable to bundle CA certificates nor ssl
libraries. Firefox is a bit special as it basically is the reference for
the system CA certificates. By installing p11-kit-nss-trust which
replaces mozilla-nss-certs Firefox would also load the system wide
certs.

Thanks for this pointer Ludwig! Me should try it.

In case of godot looks like it's using openSSL. Not sure why they are
jumping through hoops to make godot read some built in CA bundle. Game
developers are hardly in the CA business so if I were them I'd stay away
from that as far as possible :-)

Can't speak for upstream but this might be related to godot's use of so
called "templates". These are used to to export a game project into
single binaries that should run out of the box on various platforms.

Anyways, as you can see in modules/openssl/stream_peer_openssl.cpp
there even is a commented call to SSL_CTX_load_verify_locations()
"for testing". Pretty close. Replace that with a call to
SSL_CTX_set_default_verify_paths(), reduce the built in bundle to
not contain any certs at all and you are done. godot will then rely on
openssl to read the system wide cert store.

Thank you very much for figuring this out!
You're obviously the expert here.
We should try if this can be a solution.

But I've to admit that i do not know the innards of the Godot source
code and all the openSSL pitfalls.
If users are really better off with a patch from a packaging guy who
isn't really brave and confident enough, beyond scratching the surface
and twisting some existing build options, to fiddle with this security
critical part of the code, I'm not sure.

Additionally this won't be lasting, as it seems Godot will switch with
version 3.1 to mbedtls.

If you make that a build time configure option you could even try to
get the change upstream.

While i would prefer to get this option from upstream, you're absolutely
right ;)

cu
Ludwig

cunix 

--
To unsubscribe, e-mail: opensuse-packaging+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-packaging+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups
References