Jeffrey Walton <noloa...@gmail.com> writes: > How can I configure pkg_add to do all the extra work? Users should not > have to do this stuff manually. The man page does not discuss these > extra steps.
Not sure what man page you are referring to, but the issue of default trust anchors is not an easy one. One person's "just works" is another's security failure by allowing validation of certificates signed by CAs they view as untrustworthy. There is significant history of bad CA behavior. I have just updated DESCR for the mozilla-rootcerts and mozilla-rootcerts-openssl to explain the situation. Basically, pkgsrc is currently respecting the base system trust anchor policy, and provides mozilla-rootcerts-openssl to configure openssl (base system or pkgsrc, whichever is used by pkgsrc packages). This issue has arisen because various programs have enabled validation of certificates relatively recently. > CA is 2020. I am a firm believer the tools should do the work for me. > I don't work for the tools. In 2020, the public CA situation is still not really ok. Let me know when you've fixed that :-)
