FS#67523 - [nuget] network access in post_install
Attached to Project:
Arch Linux
Opened by hexchain (hexchain) - Friday, 07 August 2020, 15:19 GMT
Last edited by Giancarlo Razzolini (grazzolini) - Tuesday, 22 September 2020, 18:11 GMT
Opened by hexchain (hexchain) - Friday, 07 August 2020, 15:19 GMT
Last edited by Giancarlo Razzolini (grazzolini) - Tuesday, 22 September 2020, 18:11 GMT
|
Details
Description:
The nuget package downloads a file from the Internet in its post_install routine: (3/3) installing nuget [---------------] 100% Mozilla Roots Importer - version 6.10.0.0 Download and import trusted root certificates from Mozilla's MXR. Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed. WARNING: mozroots is deprecated, please move to cert-sync instead. Downloading from 'https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt'... Importing certificates into machine store... 147 new root certificates were added to your trust store. Import process completed. ... It relies on a 3rd-party file, does not verify any checksum, and the file can also possibly change over time. Additional info: * package version(s) * config and/or log files etc. * link to upstream bug report, if any nuget 5.6.0-1 Steps to reproduce: pacman -S nuget |
This task depends upon
Closed by Giancarlo Razzolini (grazzolini)
Tuesday, 22 September 2020, 18:11 GMT
Reason for closing: Fixed
Additional comments about closing: nuget-5.7.0-1 implements the usage of cert-sync
Tuesday, 22 September 2020, 18:11 GMT
Reason for closing: Fixed
Additional comments about closing: nuget-5.7.0-1 implements the usage of cert-sync
https://github.com/archlinux/svntogit-packages/blob/packages/mono/trunk/mono.install#L6
What do you propose we do exactly here?
It seems that nuget depends on mono (probably in the sense that a dotnet program depends on a dotnet runtime). Why does it has the need to import the certificate store, instead of just using the mono one?
And as far as I can see, mono.install just imports certificates from the system certificate store. I think that should also be done here for nuget (also with cert-sync, since mozroots is deprecated?) if this is absolutely required, instead of fetching them online.
> The nuget package was recently changed to use the binary blob from microsoft. So, it's not dependent on anything in that sense.
But it is still executed with mono (https://github.com/archlinux/svntogit-packages/blob/packages/nuget/trunk/nuget). And it does not seem like mozroots is importing into a nuget-specific cert store. Maybe it is indeed duplicate effort?
> But, the install calls mozroots with --machine which imports the machine cert store
According to mozroots -h:
--machine Import the certificate in the machine trust store.
The default is to import into the user store.
It specifies the destination, not the source.
I'll change to cert-sync for now, though.
Anyway, thanks for taking care of this!