As discussed on IRC I question the merits of this package shipping cacert.pem to begin with, in particular if it is correct (I have no reason to doubt it) that the calling code for libwww-perl reverts to the system store. Currently, in dev-perl/Mozilla-CA-20160104 it ships with WoSign and StartCom. See bug 598072 for details why this is bad.
As a defensive strategy, we should be starting off at the very least by patching everything that uses Mozilla::CA's cert bundle to not use it by default. That is, eliminate Mozilla::CA in usage from ::gentoo, but leave the dist in-place for people who need to use it in their own code. Because if we're going to be replacing Mozilla::CA's PEM file with a modified version of our own, the point of having Mozilla::CA in tree is pretty much nil. Additionally, if we go down this road we'll be engaging in lots of pointless fluffing patching upstream's pem file, or bundling our own. Where it would be better to simply patch the relevant code to use /etc/ssl/certs correctly. Ideally however, this means IO::Socket::SSL *should* default to /etc/ssl/certs, as opposed to Mozilla::CA Reading the logic here> https://metacpan.org/source/SULLR/IO-Socket-SSL-2.038/lib/IO/Socket/SSL.pm#L438-483 Indicates maybe that is already the case, and Mozilla::CA might only be invoked if etc/ssl/certs is missing/empty. (But the code is a bit difficult to read today with the energy I have)
Seems like related https://github.com/gisle/mozilla-ca/pull/9
Newly created =dev-perl/Mozilla-CA-20999999 is a stub package for Gentoo which does not include any certs anymore but points to the files installed by app-misc/ca-certificates. It's a bit fresh right now, but once this "version" is stabilized this problem is gone.
Please test and stabilize =dev-perl/Mozilla-CA-20999999 Target: alpha amd64 ppc x86
amd64 stable
x86 stable
Stable on alpha.
The auditing component doesn't show Atoms to Stabilize box :/
ppc stable. Maintainer(s), please cleanup.
Hardening, not a vuln, no glsa, and consequently no cleanup needed for closing