From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ricardo Wurmus <rekado@elephly.net>
Subject: Re: [PATCH] gnu: icedtea-8: Build keystore without id-ecPublicKey
	certificates.
Date: Thu, 02 Mar 2017 08:07:33 +0100
Message-ID: <87shmww40a.fsf@elephly.net>
References: <rbuwpcycmd1.fsf@gnu.org> <877f4d3hnt.fsf@zancanaro.id.au>
	<87fuj03my7.fsf@gnu.org> <87y3wr2465.fsf@zancanaro.id.au>
	<rbuzih7zq7r.fsf@gnu.org> <87o9xkbsjc.fsf@zancanaro.id.au>
	<8737ewy6gt.fsf@elephly.net> <8760jsfw3p.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: text/plain
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:56733)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <rekado@elephly.net>) id 1cjKq5-0000xG-Fn
	for guix-devel@gnu.org; Thu, 02 Mar 2017 02:07:50 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <rekado@elephly.net>) id 1cjKq4-0007qw-IT
	for guix-devel@gnu.org; Thu, 02 Mar 2017 02:07:49 -0500
In-reply-to: <8760jsfw3p.fsf@gnu.org>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Roel Janssen <roel@gnu.org>
Cc: guix-devel@gnu.org, Carlo Zancanaro <carlo@zancanaro.id.au>


Roel Janssen <roel@gnu.org> writes:

> Ricardo Wurmus writes:
>
>> Carlo Zancanaro <carlo@zancanaro.id.au> writes:
>>
>>> On Mon, Feb 27 2017, Roel Janssen wrote
>>>> Unfortunately, I don't seem to be able to apply your patch. [ ... ]
>>>
>>> Hmm. That's strange. I generated a new patch which hopefully will work.
>>> I tried applying it to master on my machine and it seemed to work fine.
>>>
>>> I'm not sure what to do with this in light of Ricardo's comments, but
>>> I'm hopeful that it can be pushed. (The advantage not having the ability
>>> to push is that I don't have to make any real decisions. Hooray!)
>>
>> Thanks for the new patch.  I applied it as
>> ea9e58ef66f0fc0235eb1b36690ad4e41bf8771d after making a few minor
>> changes to the commit message.
>>
>> I also added a Co-authored-by line for Roel as you updated his copyright
>> line.
>>
>> Thanks!
>
> Thanks!  What made you confident to apply it?

I applied it for pretty much the same reasons you gave:

> I think this is the right
> decision, because it's a separate issue from whatever is going to happen
> to icedtea-6.  Using the inheritance seems like the most effective way
> of working here, and the fix does not lead to a potential security hole
> because all that can happen is that certificates do not get imported
> into the keystore.

+1

> We do have to pay attention to whether certificates fail to be added
> though..

Indeed.  This is something users will notice.

~~ Ricardo