search

bagder / ca-bundle

The Mozilla CA bundle extracted and converted to PEM. This repository functions as a backup to the automated service on the curl web site.
https://curl.se/docs/caextract.html
238 stars 164 forks source link

Feature request: add a copy of `certdata.txt` to this repo #11

Closed Jayman2000 closed 3 hours ago

Jayman2000 commented 3 hours ago

Hello!

I’m currently working on developing a game using the Godot Engine. Eventually, we’re going to start distributing binary copies of that game. Each binary copy of the game will contain a binary copy of the Godot Engine. We need to make sure that make sure that we comply with all applicable licenses when distributing binary copies of the game.

Godot binaries contain a copy of ca-bundle.crt, so we’re going to have to comply with MPL 2.0. MPL 2.0 says (emphasis added):

3.2. Distribution of Executable Form

If You distribute Covered Software in Executable Form then:

  1. such Covered Software must also be made available in Source Code Form, as described in Section 3.1, and You must inform recipients of the Executable Form how they can obtain a copy of such Source Code Form by reasonable means in a timely manner, at a charge no more than the cost of distribution to the recipient; and[…]

In this specific situation, it seems pretty difficult to tell people how they can get the source code for ca-bundle.crt. I thought that I could maybe include a link to https://docs.godotengine.org/en/stable/contributing/development/compiling/getting_source.html in the game, but I don’t think that that would work. Here’s what would happen:

  1. The user would visit that link.

  2. The user would then visit Godot’s release page, and find the stable version of Godot 4.3.

  3. The user would download and extract the source code.

  4. The user would find the thirdparty/README.md file, and see that it has a section for the ca-bundle repo.

  5. The user would clone https://github.com/bagder/ca-bundle and then checkout c5a419971b1bec220368c619aaafd0b818aa119f because thirdparty/README.md says that Godot 4.3 uses that specific revision of the ca-bundle repo.

  6. The user would then find this comment at the top of ca-bundle.crt:

    ## This is a bundle of X.509 certificates of public Certificate Authorities
## (CA). These were automatically extracted from Mozilla's root certificates
## file (certdata.txt).  This file can be found in the mozilla source tree:
## https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt

  7. The user would go to https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt, but they still wouldn’t have the source code for the version of ca-bundle.crt that’s in Godot v4.3. Instead, they would have the source code for a newer version of ca-bundle.crt.

Here’s my feature request. When you run mk-ca-bundle, it generates two different files, ca-bundle.crt and certdata.txt. It would be nice if this repo contained both of those files instead of just one. That way, users would be able to easily get a copy of the source code for whichever version ca-bundle.crt they’re using.

bagder commented 3 hours ago

Sounds like a reasonable ask that is also super easy to comply with. The file is already in my working directory and it would be easy for me to always just commit that at the same time as the generated output.