Bug 1478172
Summary: | [PATCH] update-ca-trust: Use P11_KIT_NO_USER_CONFIG | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Colin Walters <walters> | ||||
Component: | ca-certificates | Assignee: | Kai Engert (:kaie) (inactive account) <kengert> | ||||
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | rawhide | CC: | dueno, jorton, kengert, pwouters, stefw, tmraz | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | ca-certificates-2017.2.16-4.fc27 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-08-15 14:11:34 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Colin Walters
2017-08-03 19:27:00 UTC
Created attachment 1308863 [details]
[PATCH] update-ca-trust: Use P11_KIT_NO_USER_CONFIG
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle. Changing version to '27'. If I understand your report correctly, p11-kit attempts to read a configuration file stored in the effective user's home directory. You have changed p11-kit to support an environment variables that prevents it from doing so, and you are suggesting that the ca-certificates package sets this variable when running p11-kit. Daiki, Stef, can you think of any reason why "p11-kit extract" would require access to the root user's p11-kit configuration file? If I understand correctly, we're talking about the pkcs11.conf, and I guess a user could use it to configure additional pkcs11 modules. In theory, someone could have configured a pkcs#11 module that contains root CAs. I don't know if that could have resulted in additional root CAs (those from the additional pkcs#11 modules) to be added into the exported bundle files. With the suggested change from here, the CAs from such additional pkcs#11 modules would be excluded. This seems to be a rather exotic configuration. I'm OK to disable the config file reading, and hope that nobody will report a regression. Regarding the suggested patch, I think it should be fine to set the environment variable just once in the update-ca-trust script. The env var seems to be introduced with p11-kit 0.23.8 which hasn't been packaged for rawhide yet. Should I bump the package version requirement, and wait until the updated p11-kit package is available? I think it's fine to apply the patch now, and not to add a hard version requirement; the variable will simply do nothing with earlier versions of p11-kit. |