Re: Problem cloning at GitHub using HTTPS

[Greg Troxel <gdt%lexort.com@localhost>]

Jeffrey Walton <noloader%gmail.com@localhost> writes:

>> In 2020, the public CA situation is still not really ok.  Let me know
>> when you've fixed that :-)
>
> Those who install mozilla-rootcerts accepts the risk. Those who don't
> trust the ca zoo will not issue 'pkg_add mozilla-rootcerts' in the
> first place.

Sufficiently paranoid people could choose to enable various CAs from the
bundle individually.

> Are you arguing someone will install mozilla-rootcerts but then _not_
> want to use it? That makes no sense.

This is a separation between putting files in the filesystem so that
people can choose to use them in various ways, and configuring *all* of
them into openssl as trust anchors.    One is simply proivding data, and
the other is a security decision.   I think it makes sense to keep those
separate.  When installing mozilla-rootcerts-openssl, the installation
happens, and mozilla-rootcerts is pulled in as a dependency.  The cost
of separation is quite small.

The notion that there exist zero sane people that might want to have the
bits but not enable all of them in openssl is not credible.

But, if you have installed mozilla-rootcerts-openssl and are happy,
that's good.