On Wed, 18 Dec 2013, Leif W wrote:

Thanks Leif for doing this and "taking one" for the team.

> Ah well, it seems of course I'm/we're doing everything wrong, in terms of
> security.

Well, right and wrong is a subjective matter. Of course those guys are
entitled to their opinions but in at least some of these areas they are still
just opinions that can be argued back and forth.

> 1) Pulling from http versus https (chicken and egg problem?).
> 2) Not pulling from Mercurial,
> (although any release repository should be recent enough, mozilla-central
> was advised).
> 3) Pulling from Mercurial tip (may still be volatile).

It feels suitable here to mention this page:
https://developer.mozilla.org/en/docs/Developer_Guide/Source_Code/Mercurial
which seems to be the primary page for explaining how to get the Mozilla
source code off the mercurial repos.

It clearly primarily describes how you get the Mozilla source code over plain
HTTP. That's not secure by any means.

Conclusion: It is very easy to point fingers... (but yes, the repos exist over
HTTPS as well)

> 6) Not manually reviewing all of a certdata.txt AND the release notes,
> (BEFORE using it for anything).

I think someone is misunderstanding what the purpose of the script is.

> 7) Not bundling certdata.txt in cURL to avoid chicken/egg/trust/review
> issues.

I think someone is misunderstanding what the purpose of the script is. I have
no intention bundle this with any release of curl for several reasons which I
don't think I'll go into right now.

Especially doing it in a secure/authenticated fashion and following those
strict guidelines would put a significant burden on the project that I don't
think anyone would thank us for.

> 8) Using certdata.txt outside of Mozilla projects,
> (as file format may change at any time without notice).

That's just silly. If the script breaks it breaks. Then someone either fixes
the script or won't get a suitable output. That script and its anscestors have
worked fine enough for over 5 years by now.

> 11) In general, not being responsible or security conscious.

Sorry that you'd get that in your face when you really were trying to help out
and improve things. I get that attitude much too often from "security experts"
all over when I do things in curl. Or for not doing enough things. I don't
think there's a way to avoid such feedback every now and then.

The challenge is to extract the facts and the "good" points and work on
improving those things.

> I'm a passer by willing to help tweak a script, but am not really
> experienced or qualified to speak on behalf of or make decisions for cURL
> when interacting with Mozilla. However, I've done my best to learn and
> gather details about related issues and concerns.

Thanks again for biting the bullet and taking it there.

I think I'm perfectly suitable to both speak for the curl project _and_ for
talking to Mozilla people - me just becoming a Mozilla employee probably makes
me an even better candidate for that position! ;-)

But also, I don't want to make this a big issue nor take it to a "political
leval". The script is simply there to help those who want to, to convert the
ca cert file Mozilla maintains into PEM.

Your initial patch looked like the perfect direction to me. Possibly you now
have some feedback to update it slightly, and possibly we should also make it
output some general warnings in the spirit you received to make it more
obvious that running the script as it works now imposes a certain degree of
risk.

> The db2pem shell script is handy, if you're a Firefox user on a *nix system.
> That maybe could be adapted to a more portable language (Perl and/or PHP?).

Yes, that would be neat. I would guess that it could then also be made to work
on Windows etc with some adaptions...

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html