On Jul 2, 2014, at 4:45 PM, Xin Li <[email protected]> wrote: > Currently, FreeBSD does not install a default /etc/ssl/cert.pem > because we do not maintain one ourselves. We do, however, provide a > port, security/ca_root_nss, which have an option to install a symbolic > link as /etc/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt, > which is not the default option. > > This become a problem when applications, e.g. fetch(8), have grown the > support of doing certificate validation. I think now it makes sense > to have a default cert.pem installed with the base system. > > So my proposal would be: > > 1. Import a set of trusted root certificates, and install if > MK_OPENSSL is yes, to /usr/share/misc/ca-root-freebsd.pem; > > 2. In src/etc/Makefile, automatically create a symbolic link if it's > not already present in ${DESTDIR}/etc/ssl; > > 3. Teach mergemaster(8) and other similar applications to create the > symbolic link on demand; > > 4. Change the install/deinstall behavior of security/ca_root_nss: > ETCSYMLINK checked: If /etc/ssl/cert.pem exists, back it up on > install then overwrite with new symlink, and restore on deinstall. > ETCSYMLINK unchecked: If /etc/ssl/cert.pem do not pre-exist, > install new a symlink; on deinstall, if > /usr/share/misc/ca-root-freebsd.pem exists, replace the symlink with a > symlink to there, or remove if the file does not exist. > > Comments/objections?
It seems like a good plan. As long as people who have a different trust list than Mozilla can easily implement their own trust plan, it's fine, and this brings a lot of ease-of-use to the ports, particularly to common ones like wget. --Paul Hoffman
signature.asc
Description: Message signed with OpenPGP using GPGMail
