Debian Bug report logs - #597537
euca2ools: Please include the public EC2 certificate

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Miguel Landaeta <miguel@miguel.cc>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: euca2ools: Please include the public EC2 certificate

Date: Mon, 20 Sep 2010 11:51:02 -0430

Package: euca2ools
Version: 1.2-1
Severity: wishlist

Hi,

Is there any possibility to include the public EC2
certificate in this package?

I ask because I had problems bundling EC2 images until I
figured out that I need that certificate and I had to
install the non-free package ec2-ami-tools from Ubuntu which
includes this file.

I don't know if is possible to redistribute this file in
Debian, but this would be really useful if possible.

BTW, this issue was also opened in Ubuntu some time ago,
please check https://bugs.launchpad.net/ubuntu/+source/euca2ools/+bug/479836

Thanks,


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages euca2ools depends on:
ii  python                       2.6.6-1     interactive high-level object-orie
ii  python-boto                  1.9b-4      Python interface to Amazon's Web S
ii  python-central               0.6.16+nmu1 register and build utility for Pyt
ii  python-m2crypto              0.20.1-1+b1 a crypto and SSL toolkit for Pytho

euca2ools recommends no packages.

euca2ools suggests no packages.

-- no debconf information

-- 
Miguel Landaeta, miguel at miguel.cc
secure email with PGP 0x7D8967E9 available at http://keyserver.pgp.com/
"Faith means not wanting to know what is true." -- Nietzsche

Message #18 received at 597537@bugs.debian.org (full text, mbox, reply):

From: Charles Plessy <plessy@debian.org>

To: 597537@bugs.debian.org, debian-devel@lists.debian.org

Subject: Looking for seconds to add the Amazon EC2 public certificate in ca-certificates.

Date: Tue, 23 Aug 2011 12:47:16 +0900

[Message part 1 (text/plain, inline)]

severity 597537 normal
thanks

Dear all,

as per /usr/share/doc/ca-certificates/README.Debian, I am looking for
additional signed recommendations for the addition of the Amazon Elastic
Computer Cloud (EC2) public certificate to the ca-certificates packages.

In Ubuntu it is distributed in the euca2ools packages, that I co-maintain in
Debian, but for the following reasons I think that ca-certificates would be a
better place.
 
 - The original upstream sources of euca2ools do not contain the certificate.
 - The Upstream of euca2ools, Eucalyptus, and the provider of the EC2, Amazon,
   are not the same company.
 - The use of the certificate is not limited to euca2ools.

I attached a copy of the certificate.  It is used to bundle machine images
for the EC2.  I have not found a web page dedicated to its description.

SHA1 Fingerprint=D3:27:BA:A0:F8:D3:EE:9C:BB:3C:FB:FE:3B:52:65:A8:40:53:5D:0D

It was downloaded from http://s3.amazonaws.com/ec2-downloads/ec2-ami-tools.zip

Although the files in this archive are distributed under the non-free Amazon
Software License (http://aws.amazon.com/asl/), I think that public certificate
is not subject to a licence, since it is not the product of an intellectual
work.

Have a nice day,

-- 
Charles Plessy
Tsurumi, Kanagawa, Japan

[signature.asc (application/pgp-signature, inline)]

Message #25 received at 597537@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org>

To: 597537@bugs.debian.org, debian-devel@lists.debian.org

Subject: Re: Looking for seconds to add the Amazon EC2 public certificate in ca-certificates.

Date: Mon, 22 Aug 2011 20:56:55 -0700

Charles Plessy <plessy@debian.org> writes:

> as per /usr/share/doc/ca-certificates/README.Debian, I am looking for
> additional signed recommendations for the addition of the Amazon Elastic
> Computer Cloud (EC2) public certificate to the ca-certificates packages.

As someone not particularly familiar with the details of how certs work
inside EC2, my main question would be: what's the signing policy used by
the holder of the private key for this certificate?

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Message #30 received at 597537@bugs.debian.org (full text, mbox, reply):

From: Michael Shuler <michael@pbandjelly.org>

To: 597537@bugs.debian.org

Cc: debian-devel@lists.debian.org

Subject: Re: Looking for seconds to add the Amazon EC2 public certificate in ca-certificates.

Date: Tue, 23 Aug 2011 12:23:10 -0500

[Message part 1 (text/plain, inline)]

On 08/22/2011 10:56 PM, Russ Allbery wrote:
> Charles Plessy <plessy@debian.org> writes:
> 
>> as per /usr/share/doc/ca-certificates/README.Debian, I am looking for
>> additional signed recommendations for the addition of the Amazon Elastic
>> Computer Cloud (EC2) public certificate to the ca-certificates packages.
> 
> As someone not particularly familiar with the details of how certs work
> inside EC2, my main question would be: what's the signing policy used by
> the holder of the private key for this certificate?

This is also my question - is this a CA that will be verifying and
signing other certs? (I'll try to dig on the same info, as well)

For the record, I intend to adopt ca-certificates relatively soon, as I
have not heard back from the previous ITA poster in a few weeks.  The
package needs some TLC and I have some updates already queued up, but
not pushed to my git repo, yet  :-)

-- 
Kind regards,
Michael

[signature.asc (application/pgp-signature, attachment)]

Message #35 received at 597537@bugs.debian.org (full text, mbox, reply):

From: Miguel Landaeta <miguel@miguel.cc>

To: 597537@bugs.debian.org, debian-devel@lists.debian.org

Subject: Re: Looking for seconds to add the Amazon EC2 public certificate in ca-certificates.

Date: Tue, 23 Aug 2011 16:04:47 -0430

On Tue, Aug 23, 2011 at 12:53 PM, Michael Shuler <michael@pbandjelly.org> wrote:
> This is also my question - is this a CA that will be verifying and
> signing other certs? (I'll try to dig on the same info, as well)

AFAIK, this certificate is only used to encrypt your AMIs and transfer them
securely to Amazon. In this way only you and Amazon know about the content
of your AMI, Amazon needs this in order to launch your AMIs in their cloud.

-- 
Miguel Landaeta, miguel at miguel.cc
secure email with PGP 0x7D8967E9 available at http://keyserver.pgp.com/
"Faith means not wanting to know what is true." -- Nietzsche

Message #40 received at 597537@bugs.debian.org (full text, mbox, reply):

From: Stefano Rivera <stefanor@debian.org>

To: Miguel Landaeta <miguel@miguel.cc>

Cc: 597537@bugs.debian.org, debian-devel@lists.debian.org

Subject: Re: Looking for seconds to add the Amazon EC2 public certificate in ca-certificates.

Date: Wed, 24 Aug 2011 13:40:29 +0200

Hi Miguel (2011.08.23_22:34:47_+0200)
> AFAIK, this certificate is only used to encrypt your AMIs and transfer them
> securely to Amazon. In this way only you and Amazon know about the content
> of your AMI, Amazon needs this in order to launch your AMIs in their cloud.

That's what I've heard (although non-definitively) from someone who used
to maintain ec2-ami-tools for Amazon.

And as Russ asked:
> Hm, then it's not actually a CA, is it?

Correct. It's just some public key material for encryption.

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  H: +27 21 465 6908 C: +27 72 419 8559  UCT: x3127

Message #45 received at 597537@bugs.debian.org (full text, mbox, reply):

From: Charles Plessy <plessy@debian.org>

To: debian-devel@lists.debian.org

Cc: 597537@bugs.debian.org

Subject: Re: Looking for seconds to add the Amazon EC2 public certificate in ca-certificates.

Date: Thu, 25 Aug 2011 11:05:35 +0900

Le Wed, Aug 24, 2011 at 03:06:11PM +0000, Philipp Kern a écrit :
> On 2011-08-23, Russ Allbery <rra@debian.org> wrote:
> > It seems strange to include a non-CA certificate in ca-certificates; we
> > may need a different sort of infrastructure to handle things like this.
> > (And I think it would be a bit questionable to trust any certificate
> > signed by that certificate in a web browser, say, which is what would
> > happen if it were just included in ca-certificates.)
> 
> Yep, it's the wrong place.  Furthermore, if we are not allowed to distribute
> it, we shouldn't.  And if other open-source projects don't ship it, that's
> fairly good clue that we shouldn't, neither.

Thanks everybody who explained better the usage of this certificate.  As
others, I now think that a good place for it would be in a future cloud support
package, for instance cloud-utils (http://bugs.debian.org/622946).

There is no indication that the certificate is not redistributable, and there
is at least one other project that redistributes it (Ubuntu, in the euca2ools
package).

Have a nice day,

-- 
Charles Plessy
Tsurumi, Kanagawa, Japan

Message #50 received at 597537@bugs.debian.org (full text, mbox, reply):

From: Michael Shuler <michael@pbandjelly.org>

To: 622946@bugs.debian.org

Cc: 573857@bugs.debian.org, 597537@bugs.debian.org, control@bugs.debian.org

Subject: Where should the EC2 AMI certificate live?

Date: Fri, 28 Oct 2011 19:23:28 -0500

tag 573857 + help
tag 597537 + help
thanks

As Charles mentioned in #597537 [0], the EC2 AMI certificate is
distributed in the euca2ools package in Ubuntu - should it live in
euca2ools in Debian?  Or, perhaps in the future cloud-utils package [1],
as Charles mentions later in the same bug report?

I am working on cleaning up the ca-certificates bug list and since AWS
EC2 is not a signing Certificate Authority, I don't think it is
appropriate for ca-certificates.  I would like to reassign the merged
bugs #573857 and #597537 to a proper package that would like to include
the EC2 certificate.  Thoughts?

[0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=597537#18
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622946

-- 
Kind regards,
Michael Shuler

Message #59 received at 597537@bugs.debian.org (full text, mbox, reply):

From: "Thijs Kinkhorst" <thijs@debian.org>

To: "Charles Plessy" <plessy@debian.org>

Cc: 597537@bugs.debian.org

Subject: Re: Looking for seconds to add the Amazon EC2 public certificate in ca-certificates.

Date: Tue, 11 Jun 2013 12:55:52 +0200

Hi Charles,

> As Charles mentioned in #597537 [0], the EC2 AMI certificate is
> distributed in the euca2ools package in Ubuntu - should it live in
> euca2ools in Debian?  Or, perhaps in the future cloud-utils package [1],
> as Charles mentions later in the same bug report?
>
> I am working on cleaning up the ca-certificates bug list and since AWS
> EC2 is not a signing Certificate Authority, I don't think it is
> appropriate for ca-certificates.  I would like to reassign the merged
> bugs #573857 and #597537 to a proper package that would like to include
> the EC2 certificate.  Thoughts?

Can you advise on this?


thanks,
Thijs

Message #64 received at 597537@bugs.debian.org (full text, mbox, reply):

From: Charles Plessy <plessy@debian.org>

To: Thijs Kinkhorst <thijs@debian.org>

Cc: 597537@bugs.debian.org

Subject: Re: Looking for seconds to add the Amazon EC2 public certificate in ca-certificates.

Date: Wed, 12 Jun 2013 08:28:36 +0900

Le Tue, Jun 11, 2013 at 12:55:52PM +0200, Thijs Kinkhorst a écrit :
> 
> > As Charles mentioned in #597537 [0], the EC2 AMI certificate is
> > distributed in the euca2ools package in Ubuntu - should it live in
> > euca2ools in Debian?  Or, perhaps in the future cloud-utils package [1],
> > as Charles mentions later in the same bug report?
> >
> > I am working on cleaning up the ca-certificates bug list and since AWS
> > EC2 is not a signing Certificate Authority, I don't think it is
> > appropriate for ca-certificates.  I would like to reassign the merged
> > bugs #573857 and #597537 to a proper package that would like to include
> > the EC2 certificate.  Thoughts?
> 
> Can you advise on this?

Hi Thijs and everybody,

how about proposing a new binary package in the ca-certificates source package ?
I see http://wiki.debian.org/X.509 and this new binary package could follow
a policy along these lines.

Cheers,

-- 
Charles Plessy
Tsurumi, Kanagawa, Japan

Message #69 received at 597537@bugs.debian.org (full text, mbox, reply):

From: "Thijs Kinkhorst" <thijs@debian.org>

To: "Charles Plessy" <plessy@debian.org>

Cc: 597537@bugs.debian.org

Subject: Re: Looking for seconds to add the Amazon EC2 public certificate in ca-certificates.

Date: Wed, 12 Jun 2013 08:36:42 +0200

On Wed, June 12, 2013 01:28, Charles Plessy wrote:
> Le Tue, Jun 11, 2013 at 12:55:52PM +0200, Thijs Kinkhorst a écrit :
>>
>> > As Charles mentioned in #597537 [0], the EC2 AMI certificate is
>> > distributed in the euca2ools package in Ubuntu - should it live in
>> > euca2ools in Debian?  Or, perhaps in the future cloud-utils package
>> [1],
>> > as Charles mentions later in the same bug report?
>> >
>> > I am working on cleaning up the ca-certificates bug list and since AWS
>> > EC2 is not a signing Certificate Authority, I don't think it is
>> > appropriate for ca-certificates.  I would like to reassign the merged
>> > bugs #573857 and #597537 to a proper package that would like to
>> include
>> > the EC2 certificate.  Thoughts?
>>
>> Can you advise on this?
>
> Hi Thijs and everybody,
>
> how about proposing a new binary package in the ca-certificates source
> package ?
> I see http://wiki.debian.org/X.509 and this new binary package could
> follow
> a policy along these lines.

I'm not sure what the source of that wiki page is nor do I think it has
current consensus or implementation. At least it doesn't stem from the
ca-certificates maintainers.

As with your proposal for a new binary package: I'm not sure we have
enough content currently to justify such a thing. We currently have the
suggestion to add the EC2 certificate only.

What do you think about adding the certificate in a package more
specifically geared to this specialist use case? After all, the
certificate is not generally usable, only with this specific service. The
euca2ools package was suggested as a good place, where Ubuntu seems to
keep it aswell, or something like cloud-init?


Cheers,
Thijs

Message #74 received at 597537@bugs.debian.org (full text, mbox, reply):

From: Charles Plessy <plessy@debian.org>

To: Thijs Kinkhorst <thijs@debian.org>

Cc: 597537@bugs.debian.org

Subject: Re: Looking for seconds to add the Amazon EC2 public certificate in ca-certificates.

Date: Sat, 15 Jun 2013 15:24:34 +0900

Le Wed, Jun 12, 2013 at 08:36:42AM +0200, Thijs Kinkhorst a écrit :
> 
> What do you think about adding the certificate in a package more
> specifically geared to this specialist use case? After all, the
> certificate is not generally usable, only with this specific service. The
> euca2ools package was suggested as a good place, where Ubuntu seems to
> keep it aswell, or something like cloud-init?

Hi Thijs,

I still do not like the idea of adding the certificate to euca2ools,
but I will do it.  If some other developers create a package to contain
similar certificates, I will be happy to transfer it later.

(Note that the certificate is useful with other implementations of the
Amazon API.)

Have a nice week-end,

-- 
Charles

Message #79 received at 597537-done@bugs.debian.org (full text, mbox, reply):

From: "Thijs Kinkhorst" <thijs@debian.org>

To: "Charles Plessy" <plessy@debian.org>, 597537-done@bugs.debian.org

Subject: Re: Bug#597537: Looking for seconds to add the Amazon EC2 public certificate in ca-certificates.

Date: Sat, 15 Jun 2013 10:11:38 +0200

Hi Charles,

On Sat, June 15, 2013 08:24, Charles Plessy wrote:
> Le Wed, Jun 12, 2013 at 08:36:42AM +0200, Thijs Kinkhorst a écrit :
>>
>> What do you think about adding the certificate in a package more
>> specifically geared to this specialist use case? After all, the
>> certificate is not generally usable, only with this specific service.
>> The
>> euca2ools package was suggested as a good place, where Ubuntu seems to
>> keep it aswell, or something like cloud-init?
>
> Hi Thijs,
>
> I still do not like the idea of adding the certificate to euca2ools,
> but I will do it.  If some other developers create a package to contain
> similar certificates, I will be happy to transfer it later.
>
> (Note that the certificate is useful with other implementations of the
> Amazon API.)
>
> Have a nice week-end,

Thanks. It may not be perfect but I believe it's the right way to go at
this point. Of course we can change things anytime later when it makes
sense.


Cheers,
Thijs

Send a report that this bug log contains spam.