export PERL5LIB=-MMozilla::CA::Debian # Now every perl code that uses Mozilla::CA will instead use your certificates from # /etc/ssl/certs (kept up to date by the sysadmin) instead of the outdated Mozilla::CA
Root certificates are a major component of TLS security. Many CPAN modules rely on
Mozilla::CA as a default, portable, list of root certificates.
But when relying on
Mozilla::CA, we rely on:
- the maintainer to release often to keep
Mozilla::CAin sync with the Mozilla certificates list
- the maintainer of the module to be trustable (no compromised certificates introduced)
- yourself or your sysadmin to keep your local copy of
Mozilla::CAup to date with the latest CPAN release
- the CPAN mirror from not being compromised to serve an altered version of
- you can't use additional root certificates installed on your system that are not in Mozilla list (unless the application allow to use multiple certificate databases)
- you can't filter the Mozilla list to exclude some certificates
This is many risks while on a Debian system you already have a list of certificates that:
- you already trust for all tasks on your system
- is updated with other system packages
So Mozilla::CA::Debian replaces Mozilla::CA, providing the same interface (including hijacking the package name) but while using the certificates from /etc/ssl/certs.
The implementation uses lazy loading to build the certificates file (Mozilla::CA exposes the certificate database while Debian exposes a directory of files) only when the VERSION is requested or when SSL_ca_file function is called.
It also allows both Mozilla::CA and Mozilla::CA::Debian to be installed in
@INC. Mozilla::CA::Debian will only be used if it is loaded first.
$Mozilla::CA::VERSION reported will be the timestamp of the most recent file in
The code is working. POD has to be written (probably will be copied from the block above).
- I'm not sure about the features. What other system use a directory of PEM files?
- I'm not sure about the name, as my implementation may work on other systems than Debian.
- Is hijacking the Mozilla::CA package the right way?