Mercurial vulnerability? CVE-2010-4237
Mads Kiilerich
mads at kiilerich.com
Thu Dec 9 11:14:30 CST 2010
On 12/09/2010 04:32 PM, Antoine Pitrou wrote:
> Mads Kiilerich<mads<at> kiilerich.com> writes:
>>
>> 2. encourage packagers to configure cacerts by default - for Fedora that
>> could be by creating a /etc/mercurial/hgrc.d/cacerts.rc with
>> '[web]\ncacerts=/etc/pki/tls/certs/ca-bundle.crt'.
>
> How would this work under Windows? I'm not aware that this OS has certificates
> in the appropriate format.
> If you have a simple solution, Python would be interested :)
This is PKI, so nothing is simple and nothing is good. There is no
solutions, only ways to make wrong assumptions and make it somebody
elses problem. ;-(
Which CAs to trust is a policy decision. Mercurial (and Python) _could_
distribute a CA list in a format suitable for Pythons OpenSSL, but I
don't think we should be the ones to suggest that the user should trust
for example both the US, Chinese and Israel governments.
The operating systems have already made a decision about who to trust,
so utilizing that seems like the "best" solution. There is no good
generic "API" for that, so pushing the responsibility for this deep
integration to the platform packagers seems like a good "solution".
Windows probably don't have a suitable CA certificate file, but it might
be possible to do it with only 15-20 calls to crypt32.dll.
http://timgolden.me.uk/pywin32-docs/win32crypt.html doesn't expose all
of http://msdn.microsoft.com/en-us/library/aa380252.aspx , but there is
always ctypes ;-)
On Fedora it would be preferable if the certificate could be checked
through NSS and its certificate database.
I think Python (from this point of view) made an unfortunate decision by
using OpenSSL and expose it in so many ways that it is almost impossible
to use anything else without breaking API compatibility. Because of that
there is no good solution. It could be argued that Python made the
decision to use OpenSSL on all platforms, so Python should also take
responsibility for managing the CAs. Somehow.
FWIW I think it would be "better" if python could utilize the different
crypto libraries on the different platforms - for example OpenSSL, NSS,
GnuTLS and some Windows crypto API. Exposing all these different APIs
through a common, nice, efficient and sufficiently complete Python API
is however probably almost impossible.
/Mads
More information about the Mercurial-devel
mailing list