Bug#1084960: apt-listbugs: hardcode CA certificate

Sat, 12 Oct 2024 18:24:19 -0700 

Hey.

On Sat, 2024-10-12 at 15:46 +0200, Francesco Poli wrote:
> I hope I clarified why I am not going to hard-code any certificate in
> apt-listbugs.

Would you consider the following:

It seems Ruby uses OpenSSL, which already allows configuring the
trusted CA cert via setting the env var SSL_CERT_FILE.

Now doing that without "support" from apt-listbugs is rather a
nuisance, one cannot simply do something like:
   DPkg::Pre-Install-Pkgs 
{"SSL_CERT_FILE=/usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt 
/usr/bin/apt-listbugs apt";};
because, while that is allegedly executed as shell command, it does not
really seem to work exactly like that and subsequently apt fails:
   E: APT_HOOK_INFO_FD is not correctly defined.
   E: Sub-process SSL_CERT_DIR=/usr/share/ca-certificates/mozilla 
/usr/bin/apt-listbugs apt returned an error code (1)
   E: Failure running script SSL_CERT_DIR=/usr/share/ca-certificates/mozilla 
/usr/bin/apt-listbugs apt

Similar things like:
   DPkg::Pre-Install-Pkgs {"/bin/sh -c 
'SSL_CERT_FILE=/usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt 
/usr/bin/apt-listbugs apt'";};
don't work either, again because the APT_HOOK_INFO_FD is no longer
properly detected.


What did however work is replacing the whole /etc/apt/apt.conf.d/10apt-
listbugs with e.g.:
   DPkg::Pre-Install-Pkgs {"/usr/local/bin/apt-listbugs apt";};
   DPkg::Tools::Options::/usr/local/bin/apt-listbugs "";
   DPkg::Tools::Options::/usr/local/bin/apt-listbugs::Version "3";
   DPkg::Tools::Options::/usr/local/bin/apt-listbugs::InfoFD "20";
   AptListbugs::Severities "critical,grave,serious";


and have /usr/local/bin/apt-listbugs be:
   #!/bin/sh
   
   export SSL_CERT_FILE=/usr/share/ca-
   certificates/mozilla/ISRG_Root_X1.crt
   exec /usr/bin/apt-listbugs "$@"


But that's pretty hacky, and even if a better solution was found, if
10apt-listbugs needs to be changed, it will not work out-of-the box on
upgrades.

Could you perhaps add some:
   AptListbugs::CAFile "/path/to/file";
option, that sets the env var from within the program or calls the ruby
function that the http connection with some parameter for the CA, if it
provides such?


Cheers,
Chris.

Reply via email to