On Sat, Oct 24, 2020 at 11:50:14AM +0800, Paul Wise wrote: > > This is a very non-trivial downstream patch though, the project I'm > > trying to package runs in a sandbox and loading certificates from disk > > at runtime is not possible without redesigning some things. > > One option to solve this would be to have src:rust-webpki-roots provide > webpki-roots-build containing build.py and then have ca-certificates > build-dep on webpki-roots, run build.py and build a binary package > containing the generated rust code. That seems a bit ick though. > > Is there any chance of webpki/rustls upstream switching from embedding > to runtime loading of certs like other TLS stacks do?
It's more complicated than that, there's rustls-native-certs to use the local certificate store, but the patch would be so invasive that debian would effectively maintain a fork. At the time of writing webpki-roots has 85 reverse dependencies on crates.io, while rustls-native-certs has 13. rustls-native-certs compares itself to webpki-roots in the readme, I think this bit is interesting: > Cons: > [...] > - The quality of the ca-certificates package on debian-based Linux > distributions is poor. At the time of writing, this ships many > certificates not included in the Mozilla set, either because they > failed an audit and were withdrawn[1] or were removed for > mississuance[2]. [1]: https://bugs.mozilla.org/show_bug.cgi?id=1448506 [2]: https://bugs.mozilla.org/show_bug.cgi?id=1552374
