curl-library
mk-ca-bundle: certdata.txt pulled from soon to be EOL URL
Date: Thu, 10 Jul 2014 21:25:32 +0100
Hi
I noticed that mk-ca-bundle.pl fetches certdata.txt from mxr.mozilla.org
rather than the actual Mercurial VCS locations.
MXR is just a code indexer for Mozilla's repositories, that
holds cached versions of files from their canonical VCSs. Using
certdata.txt from MXR is not ideal since:
* the indexer sometimes fails, resulting in stuck stale files
* MXR is due to be retired soon (replaced by DXR)
* MXR is known to have pretty poor security (part of the reason for
retirement), so I would trust the cached copy of files there much
less than from from their canonical location on hg.mozilla.org
I was putting together a patch to switch the mxr.mozilla.org URLs to
ones like [1]:
http://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
However upon testing it became apparent that hgweb [2] doesn't output
(or use) Last-Modified headers, and only understands ETag [3]. As a
result I get:
$ ./mk-ca-bundle.pl
Warning: Use of this script may pose some risk, -d risk for more details.
Downloading 'certdata.txt' ...
Use of uninitialized value in gmtime at ./mk-ca-bundle.pl line 258.
Processing 'certdata.txt' ...
Done (153 CA certs processed, 36 skipped).
...and we lose support for handling an unmodified certdata.txt.
Some options:
1) File an upstream Mercurial bug to add Last-Modified headers & then
pester Mozilla server ops to update the Hg version used to serve
hg.mozilla.org.
2) Forget about checking for last modified and just use the current time
in the comment header for the generated file.
3) Fetch certdata.txt again and compare to the old file locally, and
either use the current datetime for the comment header or else some
other identifier (eg Mercurial SHA current on that repo's tip).
#1 seems like the superior option, however it might be a bit of an
uphill struggle gaining interest/acceptance upstream.
I don't have an exact timeframe for MXR being EOLed, but it will likely
be this year sometime - so it would be good to get this sorted before
the script stops working :-)
Anyway, I'm keen to know your thoughts.
Best wishes,
Ed
[1] Ideally I would switch these to HTTPS, however this was tried before
(with MXR at least) and reverted due to issues with LWP and HTTPS:
http://curl.haxx.se/mail/lib-2012-03/0244.html
[2] http://www.selenic.com/hg/help/hgweb
[3] http://bz.selenic.com/show_bug.cgi?id=1845 and
http://hg.intevation.org/mercurial/crew/file/default/mercurial/hgweb/common.py#l188
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-07-11