On Sun, 2024-10-13 at 18:58 +0200, Francesco Poli wrote: > I don't think such an uncommon use case is worth a specific support > to > be implemented into apt-listbugs.
Didn't you argue yourself that apt-listbugs might be used with any other BTS? There's no reason why such a BTS shouldn't be run with e.g. a private CA. In fact, for any security conscious people this would be the only way to run the whole thing securely. The CA/Browser Forum system is completely and inherently broken. You have around 150 CAs, many of them under effective control by totalitarian systems, many of them having been caught already several times with "accidentally" forging certs. This doesn't account yet for thousands? tens of thousands? intermediate CAs, which all can more or less issue an certificate, including e.g. bugs.debian.org . Even if one would naively assume they're all good, many/most of them do totally weak verifications (like sending plain text mail to allegedly well-known admin addresses, or the challenge response that's done by lets encrypt, which is however of course not really secure eihter) A BTS might contain security critical information, like "if you suffer from bug xyz, run commands foo bar". So it makes total sense for any 3rd party BTS (and would so even more of course for Debian's) to be run with a private CA, with any users of the service, like apt-listbugs, trusting only that, making it truly secure. Anyway... I just thought that for a program which is intended for generic usage (like curl, etc), it would also make sense to allow generic configuration of the trusted CAs. Nevermind. :-) > However, you could: > > # export SSL_CERT_FILE=/usr/share/ca- > certificates/mozilla/ISRG_Root_X1.crt > > just before invoking apt (or aptitude or your package manager of > choice). It should work. Sure, but that's also quite hacky... I'm doing this on several hundred servers, so if at all I'd deploy some more or less "clean" workaround like the example I gave earlier, or what you proposed with diversions, or simply drop listbugs on these. Thanks, Chris.
