On Fri, Mar 27, 2020 at 9:53 AM Greg Troxel <[email protected]> wrote: > > Jeffrey Walton <[email protected]> writes: > > > How can I configure pkg_add to do all the extra work? Users should not > > have to do this stuff manually. The man page does not discuss these > > extra steps. > > Not sure what man page you are referring to, but the issue of default > trust anchors is not an easy one. One person's "just works" is > another's security failure by allowing validation of certificates signed > by CAs they view as untrustworthy. There is significant history of bad > CA behavior. > > I have just updated DESCR for the mozilla-rootcerts and > mozilla-rootcerts-openssl to explain the situation. Basically, pkgsrc > is currently respecting the base system trust anchor policy, and > provides mozilla-rootcerts-openssl to configure openssl (base system or > pkgsrc, whichever is used by pkgsrc packages). > > This issue has arisen because various programs have enabled validation > of certificates relatively recently. > > > CA is 2020. I am a firm believer the tools should do the work for me. > > I don't work for the tools. > > In 2020, the public CA situation is still not really ok. Let me know > when you've fixed that :-)
Those who install mozilla-rootcerts accepts the risk. Those who don't trust the ca zoo will not issue 'pkg_add mozilla-rootcerts' in the first place. Are you arguing someone will install mozilla-rootcerts but then _not_ want to use it? That makes no sense. Jeff
