FS#67523 - [nuget] network access in post_install

Attached to Project: Arch Linux
Opened by hexchain (hexchain) - Friday, 07 August 2020, 15:19 GMT
Last edited by Giancarlo Razzolini (grazzolini) - Tuesday, 22 September 2020, 18:11 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Levente Polyak (anthraxx)
Giancarlo Razzolini (grazzolini)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
The nuget package downloads a file from the Internet in its post_install routine:

(3/3) installing nuget [---------------] 100%
Mozilla Roots Importer - version 6.10.0.0
Download and import trusted root certificates from Mozilla's MXR.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.

WARNING: mozroots is deprecated, please move to cert-sync instead.

Downloading from 'https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt'...
Importing certificates into machine store...
147 new root certificates were added to your trust store.
Import process completed.
...

It relies on a 3rd-party file, does not verify any checksum, and the file can also possibly change over time.


Additional info:
* package version(s)
* config and/or log files etc.
* link to upstream bug report, if any

nuget 5.6.0-1

Steps to reproduce:
pacman -S nuget
This task depends upon

Closed by  Giancarlo Razzolini (grazzolini)
Tuesday, 22 September 2020, 18:11 GMT
Reason for closing:  Fixed
Additional comments about closing:  nuget-5.7.0-1 implements the usage of cert-sync
Comment by Giancarlo Razzolini (grazzolini) - Monday, 10 August 2020, 03:13 GMT
Mono does exactly the same thing, just it has switched to using cert-sync:
https://github.com/archlinux/svntogit-packages/blob/packages/mono/trunk/mono.install#L6

What do you propose we do exactly here?
Comment by hexchain (hexchain) - Monday, 10 August 2020, 12:02 GMT
Please correct me if I'm wrong.

It seems that nuget depends on mono (probably in the sense that a dotnet program depends on a dotnet runtime). Why does it has the need to import the certificate store, instead of just using the mono one?

And as far as I can see, mono.install just imports certificates from the system certificate store. I think that should also be done here for nuget (also with cert-sync, since mozroots is deprecated?) if this is absolutely required, instead of fetching them online.
Comment by Giancarlo Razzolini (grazzolini) - Monday, 10 August 2020, 12:12 GMT
The nuget package was recently changed to use the binary blob from microsoft. So, it's not dependent on anything in that sense. But, the install calls mozroots with --machine which imports the machine cert store, as far as I know. We can certainly change it to cert-sync. Also, the rest of them is for importing the certs necessary for nuget to be able to fetch packages. I'm not sure if all of them are still needed, but I can check that.
Comment by hexchain (hexchain) - Monday, 10 August 2020, 12:20 GMT
Thanks for the explanation.

> The nuget package was recently changed to use the binary blob from microsoft. So, it's not dependent on anything in that sense.
But it is still executed with mono (https://github.com/archlinux/svntogit-packages/blob/packages/nuget/trunk/nuget). And it does not seem like mozroots is importing into a nuget-specific cert store. Maybe it is indeed duplicate effort?

> But, the install calls mozroots with --machine which imports the machine cert store
According to mozroots -h:

--machine Import the certificate in the machine trust store.
The default is to import into the user store.

It specifies the destination, not the source.
Comment by Giancarlo Razzolini (grazzolini) - Monday, 10 August 2020, 12:25 GMT
To be quite honest, that line could probably be changed from mono nuget.exe to dotnet, for example. I'll do some experimentation, but yes, the way it is now, running mozroots is duplicate-ish effort (there's the case were you installed mono a long time ago and when you install nuget it'll update the certs).

I'll change to cert-sync for now, though.
Comment by hexchain (hexchain) - Monday, 10 August 2020, 12:27 GMT
Probably mono could install a hook that runs cert-sync every time ca-certificates is updated?

Anyway, thanks for taking care of this!

Loading...