Description of problem: kdelibs (and kdelibs3) ship own bundle of trusted CA certificates (ca-bundle.crt, stored in /usr/share/kde4/apps/kssl and /usr/share/apps/kssl respectively). Fedora already contains a separate package containing such bundle expected to be used for general web surfing (just like kdelibs' bundle) - ca-certificates package (bundle was previously provided by openssl). Have you considered using bundle from ca-certificates instead of the one shipped with KDE sources? Doing some search on the internet, people seem to expect "system" (i.e. ca-certificates') bundle to be use by default, even more now that KDE4's SSL management GUI is incomplete: http://bugs.kde.org/show_bug.cgi?id=162485
Created attachment 360102 [details] Extra certs in kdelibs bundle I did some rudimentary Subject-based diff between the bundles. Attached list contains 30 CAs listed in kdelibs bundle and not in ca-certificates. Plus another 12, which are already expired and hence should be safe to ignore now.
Agreed, system copies are preferable. I'll take a look. not sure how best to handle the extra certs.
My reading of https://bugs.kde.org/show_bug.cgi?id=162485#c14 makes it sound like qt's ca-certs are used (though not purposefully, and that may soon change), so now that we have qt fixed (bug #521911), we get this one for free (for now, in kdelibs anyway). Long-term we can look to fix this better (and for kdelibs3 too).
Considerations: * add kde certs to qt's ca-cert path too ? * integrate something similar to patch referenced at https://bugs.kde.org/show_bug.cgi?id=162485#c17 , to load system ca-certificates * with or without the ones included in kssl/ca-bundle.crt ?
Ping any updates Rex? -- Steven M. Parrish - KDE Triage Master - PackageKit Triager Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
no change, other than to reaffirm comment #3 , that our use of ca-certificates in qt should mean kde gets those for free. Needs confirmation/testing however. Further, I'd feel better if there were more movement on the upstream bug (162485).
Rats, according to this thread, http://lists.kde.org/?t=126472494900001&r=1&w=2 kdelibs override's qt's ca cert bundle.
%changelog * Thu Aug 26 2010 Rex Dieter <rdieter> - 4.5.0-6 - use ca-certificates' ca-bundle.crt (#521902)
akonadi-1.4.0-3.fc13,attica-0.1.4-1.fc13,kde-l10n-4.5.2-1.fc13,kde-plasma-networkmanagement-0.9-0.28.20101011.fc13.2,kde-plasma-yawp-0.3.5-2.fc13,kdeaccessibility-4.5.2-1.fc13,kdeadmin-4.5.2-1.fc13,kdeartwork-4.5.2-1.fc13,kdebase-4.5.2-2.fc13,kdebase-runtime-4.5.2-3.fc13,kdebase-workspace-4.5.2-3.fc13,kdebindings-4.5.2-2.fc13,kdeedu-4.5.2-2.fc13,kdegames-4.5.2-1.fc13,kdegraphics-4.5.2-4.fc13,kdelibs-4.5.2-7.fc13,kdemultimedia-4.5.2-1.fc13,kdenetwork-4.5.2-1.fc13,kdepimlibs-4.5.2-1.fc13,kdeplasma-addons-4.5.2-1.fc13,kdesdk-4.5.2-1.fc13,kdetoys-4.5.2-1.fc13,kdeutils-4.5.2-1.fc13,oxygen-icon-theme-4.5.2-1.fc13,soprano-2.5.2-1.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/akonadi-1.4.0-3.fc13,attica-0.1.4-1.fc13,kde-l10n-4.5.2-1.fc13,kde-plasma-networkmanagement-0.9-0.28.20101011.fc13.2,kde-plasma-yawp-0.3.5-2.fc13,kdeaccessibility-4.5.2-1.fc13,kdeadmin-4.5.2-1.fc13,kdeartwork-4.5.2-1.fc13,kdebase-4.5.2-2.fc13,kdebase-runtime-4.5.2-3.fc13,kdebase-workspace-4.5.2-3.fc13,kdebindings-4.5.2-2.fc13,kdeedu-4.5.2-2.fc13,kdegames-4.5.2-1.fc13,kdegraphics-4.5.2-4.fc13,kdelibs-4.5.2-7.fc13,kdemultimedia-4.5.2-1.fc13,kdenetwork-4.5.2-1.fc13,kdepimlibs-4.5.2-1.fc13,kdeplasma-addons-4.5.2-1.fc13,kdesdk-4.5.2-1.fc13,kdetoys-4.5.2-1.fc13,kdeutils-4.5.2-1.fc13,oxygen-icon-theme-4.5.2-1.fc13,soprano-2.5.2-1.fc13
akonadi-1.4.0-3.fc13, attica-0.1.4-1.fc13, kde-l10n-4.5.2-1.fc13, kde-plasma-networkmanagement-0.9-0.28.20101011.fc13.2, kde-plasma-yawp-0.3.5-2.fc13, kdeaccessibility-4.5.2-1.fc13, kdeadmin-4.5.2-1.fc13, kdeartwork-4.5.2-1.fc13, kdebase-4.5.2-2.fc13, kdebase-runtime-4.5.2-3.fc13, kdebase-workspace-4.5.2-3.fc13, kdebindings-4.5.2-2.fc13, kdeedu-4.5.2-2.fc13, kdegames-4.5.2-1.fc13, kdegraphics-4.5.2-4.fc13, kdemultimedia-4.5.2-1.fc13, kdenetwork-4.5.2-1.fc13, kdepimlibs-4.5.2-1.fc13, kdeplasma-addons-4.5.2-1.fc13, kdesdk-4.5.2-1.fc13, kdetoys-4.5.2-1.fc13, kdeutils-4.5.2-1.fc13, oxygen-icon-theme-4.5.2-1.fc13, soprano-2.5.2-1.fc13, kphotoalbum-4.1.1-6.fc13, themonospot-gui-qt-0.1.3-7.fc13, kcm-gtk-0.5.3-5.fc13, kcm_touchpad-0.3.1-3.fc13, kdebase3-3.5.10-17.fc13, digikam-1.5.0-1.fc13.1, kdelibs-4.5.2-8.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
kdelibs3-3.5.10-90.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-e23674a9ec
kdelibs3-3.5.10-90.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-eabbc65b10
kdelibs3-3.5.10-90.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-e23674a9ec
kdelibs3-3.5.10-90.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-eabbc65b10
kdelibs3-3.5.10-90.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
kdelibs3-3.5.10-90.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.