Bug 521902

Summary: kdelibs: use ca-certificates' ca-bundle.crt
Product: [Fedora] Fedora Reporter: Tomas Hoger <thoger>
Component: kdelibsAssignee: Than Ngo <than>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: fedora, jorton, jreznik, kevin, ltinkl, rdieter, smparrish, than
Target Milestone: ---Keywords: FutureFeature, Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: akonadi-1.4.0-3.fc13 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 734446 734447 (view as bug list) Environment:
Last Closed: 2017-12-31 21:25:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 521911, 603202    
Bug Blocks:    
Attachments:
Description Flags
Extra certs in kdelibs bundle none

Description Tomas Hoger 2009-09-08 16:29:40 UTC 
Description of problem:
kdelibs (and kdelibs3) ship own bundle of trusted CA certificates (ca-bundle.crt, stored in /usr/share/kde4/apps/kssl and /usr/share/apps/kssl respectively).  Fedora already contains a separate package containing such bundle expected to be used for general web surfing (just like kdelibs' bundle) - ca-certificates package (bundle was previously provided by openssl).

Have you considered using bundle from ca-certificates instead of the one shipped with KDE sources?  Doing some search on the internet, people seem to expect "system" (i.e. ca-certificates') bundle to be use by default, even more now that KDE4's SSL management GUI is incomplete:

  http://bugs.kde.org/show_bug.cgi?id=162485
Comment 1 Tomas Hoger 2009-09-08 16:32:20 UTC 
Created attachment 360102 [details]
Extra certs in kdelibs bundle

I did some rudimentary Subject-based diff between the bundles.  Attached list contains 30 CAs listed in kdelibs bundle and not in ca-certificates.  Plus another 12, which are already expired and hence should be safe to ignore now.
Comment 2 Rex Dieter 2009-09-08 18:14:47 UTC 
Agreed, system copies are preferable.  I'll take a look.

not sure how best to handle the extra certs.
Comment 3 Rex Dieter 2009-09-08 18:24:51 UTC 
My reading of
https://bugs.kde.org/show_bug.cgi?id=162485#c14
makes it sound like qt's ca-certs are used (though not purposefully, and that may soon change), so now that we have qt fixed (bug #521911), we get this one for free (for now, in kdelibs anyway).

Long-term we can look to fix this better (and for kdelibs3 too).
Comment 4 Rex Dieter 2009-09-08 18:44:44 UTC 
Considerations:
* add kde certs to qt's ca-cert path too ?

* integrate something similar to patch referenced at https://bugs.kde.org/show_bug.cgi?id=162485#c17 , to load system ca-certificates 
  * with or without the ones included in kssl/ca-bundle.crt ?
Comment 5 Steven M. Parrish 2009-09-26 22:39:39 UTC 
Ping any updates Rex?

-- 
Steven M. Parrish - KDE Triage Master
                  - PackageKit Triager
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 6 Rex Dieter 2009-11-12 14:00:30 UTC 
no change, other than to reaffirm comment #3 , that our use of ca-certificates in qt should mean kde gets those for free.  Needs confirmation/testing however. 

Further, I'd feel better if there were more movement on the upstream bug (162485).
Comment 7 Rex Dieter 2010-01-29 19:34:05 UTC 
Rats, according to this thread,
http://lists.kde.org/?t=126472494900001&r=1&w=2

kdelibs override's qt's ca cert bundle.
Comment 8 Rex Dieter 2010-08-26 18:16:51 UTC 
%changelog
* Thu Aug 26 2010 Rex Dieter <rdieter> - 4.5.0-6
- use ca-certificates' ca-bundle.crt  (#521902)
Comment 9 Fedora Update System 2010-10-24 19:01:29 UTC 
akonadi-1.4.0-3.fc13,attica-0.1.4-1.fc13,kde-l10n-4.5.2-1.fc13,kde-plasma-networkmanagement-0.9-0.28.20101011.fc13.2,kde-plasma-yawp-0.3.5-2.fc13,kdeaccessibility-4.5.2-1.fc13,kdeadmin-4.5.2-1.fc13,kdeartwork-4.5.2-1.fc13,kdebase-4.5.2-2.fc13,kdebase-runtime-4.5.2-3.fc13,kdebase-workspace-4.5.2-3.fc13,kdebindings-4.5.2-2.fc13,kdeedu-4.5.2-2.fc13,kdegames-4.5.2-1.fc13,kdegraphics-4.5.2-4.fc13,kdelibs-4.5.2-7.fc13,kdemultimedia-4.5.2-1.fc13,kdenetwork-4.5.2-1.fc13,kdepimlibs-4.5.2-1.fc13,kdeplasma-addons-4.5.2-1.fc13,kdesdk-4.5.2-1.fc13,kdetoys-4.5.2-1.fc13,kdeutils-4.5.2-1.fc13,oxygen-icon-theme-4.5.2-1.fc13,soprano-2.5.2-1.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/akonadi-1.4.0-3.fc13,attica-0.1.4-1.fc13,kde-l10n-4.5.2-1.fc13,kde-plasma-networkmanagement-0.9-0.28.20101011.fc13.2,kde-plasma-yawp-0.3.5-2.fc13,kdeaccessibility-4.5.2-1.fc13,kdeadmin-4.5.2-1.fc13,kdeartwork-4.5.2-1.fc13,kdebase-4.5.2-2.fc13,kdebase-runtime-4.5.2-3.fc13,kdebase-workspace-4.5.2-3.fc13,kdebindings-4.5.2-2.fc13,kdeedu-4.5.2-2.fc13,kdegames-4.5.2-1.fc13,kdegraphics-4.5.2-4.fc13,kdelibs-4.5.2-7.fc13,kdemultimedia-4.5.2-1.fc13,kdenetwork-4.5.2-1.fc13,kdepimlibs-4.5.2-1.fc13,kdeplasma-addons-4.5.2-1.fc13,kdesdk-4.5.2-1.fc13,kdetoys-4.5.2-1.fc13,kdeutils-4.5.2-1.fc13,oxygen-icon-theme-4.5.2-1.fc13,soprano-2.5.2-1.fc13
Comment 10 Fedora Update System 2010-11-04 23:37:01 UTC 
akonadi-1.4.0-3.fc13, attica-0.1.4-1.fc13, kde-l10n-4.5.2-1.fc13, kde-plasma-networkmanagement-0.9-0.28.20101011.fc13.2, kde-plasma-yawp-0.3.5-2.fc13, kdeaccessibility-4.5.2-1.fc13, kdeadmin-4.5.2-1.fc13, kdeartwork-4.5.2-1.fc13, kdebase-4.5.2-2.fc13, kdebase-runtime-4.5.2-3.fc13, kdebase-workspace-4.5.2-3.fc13, kdebindings-4.5.2-2.fc13, kdeedu-4.5.2-2.fc13, kdegames-4.5.2-1.fc13, kdegraphics-4.5.2-4.fc13, kdemultimedia-4.5.2-1.fc13, kdenetwork-4.5.2-1.fc13, kdepimlibs-4.5.2-1.fc13, kdeplasma-addons-4.5.2-1.fc13, kdesdk-4.5.2-1.fc13, kdetoys-4.5.2-1.fc13, kdeutils-4.5.2-1.fc13, oxygen-icon-theme-4.5.2-1.fc13, soprano-2.5.2-1.fc13, kphotoalbum-4.1.1-6.fc13, themonospot-gui-qt-0.1.3-7.fc13, kcm-gtk-0.5.3-5.fc13, kcm_touchpad-0.3.1-3.fc13, kdebase3-3.5.10-17.fc13, digikam-1.5.0-1.fc13.1, kdelibs-4.5.2-8.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2017-12-29 03:25:08 UTC 
kdelibs3-3.5.10-90.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-e23674a9ec
Comment 12 Fedora Update System 2017-12-29 03:25:24 UTC 
kdelibs3-3.5.10-90.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-eabbc65b10
Comment 13 Fedora Update System 2017-12-29 19:32:03 UTC 
kdelibs3-3.5.10-90.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-e23674a9ec
Comment 14 Fedora Update System 2017-12-29 21:42:28 UTC 
kdelibs3-3.5.10-90.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-eabbc65b10
Comment 15 Fedora Update System 2017-12-31 21:25:44 UTC 
kdelibs3-3.5.10-90.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2018-01-06 23:09:08 UTC 
kdelibs3-3.5.10-90.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.