On Tue, Dec 17, 2013 at 5:23 PM, Joe Watkins <[email protected]> wrote:
> On 12/17/2013 04:06 PM, Andrea Faulds wrote:
>
>>
>>
>> On 17/12/13 11:51, Joe Watkins wrote:
>>
>>> I'm saying that we should, definitely, accept the patch; in this
>>> specific case we can fix the implementation or security issue without
>>> affecting behaviour,
>>>
>>
>> Unfortunately that's not true. To fix the security issue REQUIRES
>> affecting behaviour. Otherwise it's not fixed.
>>
>>
> If the CA file is present with verification enabled the vast majority of
> requests will execute as they do now, but securely. Most of the time, no
> evident change. If the CA file is not present change is introduced, lots of
> it.
>
> Changing the behaviour of the language from an internals perspective does
> not and should not mean changing the behaviour of code unless that is the
> intention behind the change, obviously.
>
>
> Cheers
> Joe
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
Yes, as I mentioned shipping a CA file would help some users (we can only
guess here, but I think most users would be using the shared CA bundle from
their distro, and only a small percentage would use the one that we
provided).
On the other hand everybody else apart from the browsers seems to be trying
to *not* ship their own CA bundle anymore.
Python doesn't ship one (even though it was requested:
http://bugs.python.org/issue13655)
Ruby doesn't ship one.
Java has it's own:
http://docs.oracle.com/javase/6/docs/technotes/tools/windows/keytool.htmldistros
try to wrap that away, which can cause bugs like this:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/920758
Perl doesn't ship one, but has multiple cpan modules which provide CA
bundles.
I stopped looking, but I really think that we should refrain from shipping
a CA bundle and take the burden of maintenance to ourselves.
--
Ferenc Kovács
@Tyr43l - http://tyrael.hu