Front page | perl.perl5.porters |
Postings from June 2022
> On Jun 16, 2022, at 18:19, Craig A. Berry <craig.a.berry@gmail.com> wrote: > > On Thu, Jun 16, 2022 at 2:11 PM Felipe Gasper <felipe@felipegasper.com> wrote: >> >>> On Jun 16, 2022, at 14:42, Craig A. Berry <craig.a.berry@gmail.com> wrote: >>> So let's please not go with a Linux-only solution and just use >>> Mozilla::CA as already planned. >> >> How would using OpenSSL’s root certs be less “Linux-only” than using Net::SSLeay? > > Both OpenSSL and Net::SSLeay are very portable. The Linuxy assumption > is that an OpenSSL package includes (or symlinks to) authoritative > certificates provided by the OS distributor. That is unlikely to be > the case on non-Linux. I don't know, but the BSDs very likely do > something similar with LibreSSL, though as far as I can find, the > authoritative certs included with BSD distros are just the same > Mozilla certs you'd get with Mozilla::CA. If the Mozilla certificates > are good enough for the BSDs and for curl, why wouldn't they be good > enough for us, especially since there is already a Perl-friendly way > to maintain them? My macOS, FreeBSD, and Cygwin installs all have roots at $OPENSSLDIR/cert.pem. That seems like an awfully wide swath of potential Perl users. The problem with Mozilla::CA is that there’s too little motivation to keep the root store up-to-date. It’s a good solution for when we can’t find *any* root store, but if OpenSSL *tells* us where it keeps its roots, we might as well just latch onto whatever mechanism keeps OpenSSL updated. This appears to be the same mechanism that PHP, Python, and node.js all use … is it a problem for those folks, do we know? Alternatively, ship a very-simple CPAN module that duplicates golang’s root-finding logic. There are separate paths per OS; look at “root_*.go” files under https://go.dev/src/crypto/x509/. -FGThread Previous | Thread Next