search

fsprojects / ProjectScaffold

A prototypical .NET solution (file system layout and tooling), recommended for F# projects
http://fsprojects.github.io/ProjectScaffold
The Unlicense
515 stars 154 forks source link

We should not run mozroots without asking #235

Closed rmunn closed 8 years ago

rmunn commented 8 years ago

In build.sh as it currently stands, we run mozroots --import --sync --quiet without asking the user for permission. This imports over 100 root SSL certificates (a total of 140 at the moment). Saying that this has security implications would be putting it mildly. Not every user will want to trust the same root certificates as Mozilla. Many will, which is why Mono has made it easy to run a single command and import them all. But for other users, who don't necessarily want to trust Mozilla's list of certificates, we're doing absolutely the wrong thing: we're making a change, potentially a major change, to their system's security, and we're not telling them about it.

I recommend that instead of running mozroots --import --sync --quiet if there are no root SSL certificates installed on the user's system, we should print a message informing them that the Paket bootstrapper will fail because there are no trusted root certificates, and suggest running mozroots --import --sync to fix the problem. But we absolutely should not change their trusted root certificates without their permission or knowledge.

rmunn commented 8 years ago

Note that as mentioned in #213, Mono 3.12 and later will come with Mozilla's root certificates pre-installed, so this will only be an issue on older Linux releases that came with Mono versions prior to 3.12. Still, that's no reason not to do the right thing for those releases. And the right thing is to let the user know about security changes to their system, and not to make such changes without their explicit permission.

forki commented 8 years ago

Yes we should ask.

rmunn commented 8 years ago

Here's a PR with my proposed change. I'm of two minds about whether the exit 1 is a good idea or not. On the one hand, exiting immediately after informing the user of a suggested step seems like a good idea, and if we continue the script, the suggestion might be buried under further error messages. On the other hand, if they have deliberately chosen not to trust any Mozilla certificates and have already downloaded Paket manually, then exiting after printing the message is the wrong thing to do.

Thoughts?

jimmydburr commented 8 years ago

I haven't looked at the PR but it would be great if there could be a y/n install prompt to the user allowing the script to continue and do the install if the user approved.

knocte commented 8 years ago

Note that as mentioned in #213, Mono 3.12 and later will come with Mozilla's root certificates pre-installed

AFAIU, this change is in Mono, but it's up to distros to pick it up in their Mono packaging. Debian/Ubuntu did, and e.g. with Ubuntu16.04 you can use MonoDevelop+Nuget out of the box.