Removal of e-Tugra root certificate
nagaripratap opened this issue · 6 comments
Description
Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. These are in the process of being removed from Mozilla's trust store.
e-Tugra's root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems. Conclusions of Mozilla's investigation can be found here.
Informations
Manifest Path : mingw32/etc/ssl/certs/ca-bundle.trust.crt
This here repository actually consumes the MSYS2 packages. Would you mind working on the mingw-w64-ca-certificates package in https://github.com/msys2/MINGW-packages instead? Git for Windows will then reap the benefits from that.
sure, let me check
No Ca root certificates on mentioned repository, traces found only on git-sdk-64
No Ca root certificates on mentioned repository, traces found only on git-sdk-64
No certificates, but the packaging info that mingw32/etc/ssl/certs/ca-bundle.trust.crt and mingw64/etc/ssl/certs/ca-bundle.trust.crt gets built from. And don't forget about ca-certificates for /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt.
I don't see any updates at http://ftp.debian.org/debian/pool/main/c/ca-certificates/, from which MSYS draws their certificates. Those packages seem to draw from the Git repository at https://salsa.debian.org/debian/ca-certificates, which also did not see any update yet.
I don't really feel comfortable trying to move faster than the upstream projects. As far as I understand, there has not been any breach, just a loss of trust on Mozilla's part.
I've also noticed that Debian is quite slow with updating their list in general some time ago and opened msys2/MSYS2-packages#3509 for syncing from Mozilla directly like fedora does.