Jeffrey Walton <[email protected]> writes: >> In 2020, the public CA situation is still not really ok. Let me know >> when you've fixed that :-) > > Those who install mozilla-rootcerts accepts the risk. Those who don't > trust the ca zoo will not issue 'pkg_add mozilla-rootcerts' in the > first place.
Sufficiently paranoid people could choose to enable various CAs from the bundle individually. > Are you arguing someone will install mozilla-rootcerts but then _not_ > want to use it? That makes no sense. This is a separation between putting files in the filesystem so that people can choose to use them in various ways, and configuring *all* of them into openssl as trust anchors. One is simply proivding data, and the other is a security decision. I think it makes sense to keep those separate. When installing mozilla-rootcerts-openssl, the installation happens, and mozilla-rootcerts is pulled in as a dependency. The cost of separation is quite small. The notion that there exist zero sane people that might want to have the bits but not enable all of them in openssl is not credible. But, if you have installed mozilla-rootcerts-openssl and are happy, that's good.
