Hi Michael,
On 2014-04-02 09:50, Michael Shuler wrote:
On 04/02/2014 12:27 AM, Filipus Klutiero wrote:
I rarely see multiple NEWS entries from packages which I never directly
interact with. ca-certificates is one package I never had to install,
remove, upgrade, downgrade, fix, or even learn about, yet it has 17
entries in 10 years. In fact, ca-certificates is the biggest NEWS.Debian
user of all packages installed on my machine (disregarding the package's
age - zgrep -hc urgency /usr/share/doc/*/NEWS.Debian*|sort -g).
After examination of the entries, I do not think that this usage is
optimal. First of all, as NEWS entries of packages for "users" can be
displayed to system administrators of various proficiency, entries
should be worded clearly. The latest entry illustrates that this aspect
is deficient for ca-certificates:
ca-certificates (20140325) unstable; urgency=medium
Update mozilla/certdata.txt to version 1.97+revert_of_936304
Mozilla reverted the removal of 1024-bit root certificates for
Entrust.net, GTE CyberTrust, and ValiCert (RSA), but did not
update the
version number in nssckbi.h.
Certificates added (+) (none removed):
+ "Entrust.net Secure Server CA"
+ "GTE CyberTrust Global Root"
+ "RSA Root Certificate 1"
+ "ValiCert Class 1 VA"
+ "ValiCert Class 2 VA"
Even as a longtime Debian contributor, I have to focus quite a while
before developing some understanding of what this might mean. Hopefully
I understood the right thing (I think that means the 5 certificates
mentioned were added). This description may be fine for the changelog
(and better than a simplified version), but will surely lose most
readers in NEWS.Debian.
I have carried on the NEWS entries of CA certificate adds/removes listings in
the same manner as previous maintainers of the package.
I was not blaming you for that. I only listed the last entry to provide a
recent (and particularly cryptic) example. Now that ca-certificates is nearly
ubiquitous, and since these kind of changes are clearly not going to change, I
simply thought it was time to reconsider after 10 years.
I have attempted to follow a simple format for all the mozilla entries,
including a legend for the lines that follow; (+)=adds, (-)=removes. To my
eyes, it is quick to scan the list and grep'able. In addition, the subsequent
lines are the quoted human readable CKA_LABEL values (there are some old NMU
entries that listed the converted .crt filenames, which I don't think are very
readable).
I agree. To clarify, I am not saying that it is hard to understand the changes
for a system administrator who is concerned about CA certificates. What I am
saying is that NEWS.Debian could hopefully be less time-consuming for the
opposite population, the 90% of users who do not care about the changes (and
would probably ignore a NEWS entry stating that all CA certificates were
removed).
Do you have an example of how to improve these NEWS entries?
I noticed this past entry, which I find interesting:
ca-certificates (20090624) unstable; urgency=low
* This update eases the installation of local certification authorities
by providing a canonical location in `/usr/local/share/ca-certificates'.
All certificates found in this directory will automatically be included
into the list of trusted certificates. For details please see
`/usr/share/doc/ca-certificates/README.Debian'.
* New CA certificates:
- COMODO ECC Certification Authority
- DigiNotar Root CA
- Network Solutions Certificate Authority
- WellsSecure Public Root Certificate Authority
* Removed CA certificates:
- Equifax Secure Global eBusiness CA
- UTN USERFirst Object Root CA
I like it because it uses full sentences ("The following CA certificates have been added:" would be
even better). It is also low on highly technical terms (notably, it uses "certification
authorities" rather than the ambiguous "CA" acronym). Furthermore, it lists changes in two
lists rather than cramming all types together. It does take an extra line, but almost no extra words. That is
more clear and I'm sure it's quicker to read (I do not consider the compact form as a problem for the
changelog, it's just a consideration for NEWS entries).
I recognize that there are presumably security implications to changing
the set of certificates. I suppose adding certificates facilitates
phishing, but unless I'm missing something, trusting a phony certificate
can't directly cause an exploit. I suppose removing certificates may
confuse users and *perhaps* break automated scripts. I suppose a small
number of administrators appreciate having a way to follow every change
to the list of certificates. That being said, there are lots of changes
in Debian. We can only afford to display those which we know would cause
the most problematic unexpected issues. The risks should be compared
with the costs. People particularly concerned about certificates can
read the changelog when they upgrade the package. Also, since packages
aren't upgraded at random times, system administrators should be
monitoring a system more just after an upgrade, so potential issues can
be expected to be less costly.
In ca-certificates_20140223 I intentionally, as clearly as I could, as the
first NEWS entry, on a line by itself, stated a certificate removal that is
important for particular users to see.
That is good.
Yes, these entries are important. I cannot assume which ones may be more or
less important to users, and I leave this up to the user by providing the
information.
I leave it to experts to decide how to react, but I feel that
certificate additions should not be mentioned, while I'm not sure that
removals deserve mention. Use of judgment may also be warranted (a
change affecting a top CA could be treated differently). If some
mentions are kept, it would be great to phrase entries so that readers
understand what issues a change could cause.
I provide the factual changes and let users decide what to do with the information. These
are all "top CA" certificate vendors, since your system is going to trust them.
The user needs to modify their personal trust settings accordingly, if they care to do
so. With nearly 200 certificates in the bundle, I think having a list of the ones that
were just added/removed helps users. If the user doesn't care to see NEWS entries,
'apt-get remove apt-listchanges' is quick and painless.
Sure, the pain would come from the result, i.e. not being notified of further
changes. I would not say I don't care to see NEWS entries in general, but I
have never cared about those from ca-certificates so far.
I'd be happy to improve the entries, if you have a concrete example, but I
don't think the provided contextual information should be edited.
Feel free to take the proposed wheezy-pu and squeeze-pu updates as examples
that a user may see in the future. The squeeze-pu is rather large ;)
wheezy-pu NEWS - http://goo.gl/SQ0VnY
squeeze-pu NEWS - http://goo.gl/EqUkLx
Wow, I didn't think such changes took place in stable. I think these changes do
deserve a NEWS entry, since they appear massive and affect stable.
I find the entry better than the one I quoted - it's more "user-friendly".
Still, I don't know what mozilla/certdata.txt is (I wasn't even aware it existed). It
would be best if that wasn't the heading for all the description. I would either drop it
or try to present it as a precision. The first approach could look like:
The following certificates were added:
[...]
The following certificates were removed:
[...]
As for the renames, I don't know. I don't quite understand what this part means:
~ "StartCom Certification Authority"_2
(both StartCom CAs now included with duplicate CKA_LABEL fix)
I think the approach above would provide clearer descriptions. However, I
maintain that more guidance would be even better. Giving instructions does not
exclude describing the changes. The descriptions could be kept intact with one
or 2 paragraphs appended:
"If programs on your system rely on [...], then you may want to restore these
certificates by [...]"
"If you do not trust [...], then you should remove these certificates by [...]"
These are really just quick templates, I have no idea what they should read.
Thanks for the bug report!
Thanks to you for maintaining ca-certificates
--
Filipus Klutiero
http://www.philippecloutier.com
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
