[oi-dev] crypto/ca-certificates
Tim Mooney
Tim.Mooney at ndsu.edu
Thu Oct 28 20:27:15 UTC 2021
In regard to: Re: [oi-dev] crypto/ca-certificates, stes at PANDORA.BE said (at...:
> I tested building a 3.72 package but that also does not solve the problem.
>
> $ pkgrepo -s i386/repo/ list
> PUBLISHER NAME O VERSION
> userland crypto/ca-certificates 3.72-2020.0.1.0:20211028T165026Z
>
>
> The problem remains for both 3.71 and 3.72 that
>
> $ pkg contents ca-certificates | grep DST
> etc/certs/CA/DST_Root_CA_X3.pem
>
> So the expired certificate remains in the package.
>
> I am not certain how this should be solved.
Red Hat's approach was to remove 'DST Root CA X3' from their packaged
ca-certificates bundle.
https://access.redhat.com/articles/6338021
I'm not certain how other popular Linux distros have addressed it, but
only a few distros do long-term support, so those would be the ones most
impacted by it.
Tim
--
Tim Mooney Tim.Mooney at ndsu.edu
Enterprise Computing & Infrastructure /
Division of Information Technology / 701-231-1076 (Voice)
North Dakota State University, Fargo, ND 58105-5164
More information about the oi-dev
mailing list