pkg/58974: security/p11-kit abuses mozilla-rootcerts for non-TLS trust anchors

To: pkg-manager%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,pkgsrc-bugs%netbsd.org@localhost
Subject: pkg/58974: security/p11-kit abuses mozilla-rootcerts for non-TLS trust anchors
From: campbell+netbsd%mumble.net@localhost
Date: Tue, 7 Jan 2025 19:30:01 +0000 (UTC)

>Number:         58974
>Category:       pkg
>Synopsis:       security/p11-kit abuses mozilla-rootcerts for non-TLS trust anchors
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jan 07 19:30:01 +0000 2025
>Originator:     Taylor R Campbell
>Release:        current
>Organization:
The NetBSD#11 Foundacertification
>Environment:
>Description:
security/p11-kit is currently built to depend on security/mozilla-rootcerts and use its cacert.pem file as trust anchors.

But mozilla-rootcerts cacert.pem is intended only for _TLS_ trust anchors.  p11-kit doesn't do TLS as far as I know.  It's not clear it makes sense to bake any trust anchors into it.
>How-To-Repeat:
code inspection
>Fix:
1. Determine whether my assessment that we shouldn't bake any trust anchors in is right.
2. If so, nix the DEPENDS+=mozilla-rootcerts and the MESON_ARGS+=-Dtrust_paths=... settings.

Prev by Date: pkg/58973: security/botan3 ignores system trust anchors for TLS
Next by Date: Re: pkg/58973 (security/botan3 ignores system trust anchors for TLS)
Previous by Thread: pkg/58973: security/botan3 ignores system trust anchors for TLS
Next by Thread: Re: pkg/58973 (security/botan3 ignores system trust anchors for TLS)
Indexes:

Home | Main Index | Thread Index | Old Index