Re: How to handle updates to mozilla-rootcerts?

To: Greg Troxel <gdt%lexort.com@localhost>
Subject: Re: How to handle updates to mozilla-rootcerts?
From: Andrew Cagney <andrew.cagney%gmail.com@localhost>
Date: Tue, 24 Apr 2018 10:38:49 -0400

On 23 April 2018 at 20:39, Greg Troxel <gdt%lexort.com@localhost> wrote:
>>> So far, NetBSD has chosen not to install trust anchors in the system
>>> openssl.  You can view this as a cop-out for not dealing, or taking the
>>> high road and separating policy from mechanism, but that's how it is
>>> today.  Other systems seem to have varying approaches, and I'm not clear
>>> on exactly which ones take which paths.  To avoid getting into
>>> validating CAs, it seems an OS should choose between 1) none and 2) the
>>> mozilla list.
>>
>> Right.  This is what motivates the existence of the mozilla-
>> rootcerts package, which is also fine.
>>
>>> As for weeding out CAs, I don't really know how people typically choose.
>>> The issue is not so much domains signed by untrusted CAs, as that having
>>> an untrusted CA in the trust anchor set means that if a cert for some
>>> other domain is presented, it will be believed.
>>
>> I suspect that most folks are not aware that they have the option to
>> pick and choose from the mozilla-rootcerts list, they merely know of
>> "none" and "the mozilla list".  I suspect that the group of people
>> who want to be picky wrt. which CAs they trust are in the ignorable
>> minority with respect to how pkgsrc should deal with this, i.e. they
>> can probably be left to craft their own setups -- we should however
>> cater for the "typical".  (Sure, if this can be made sufficiently
>> flexible to also optionally cater to special needs, that's fine
>> too.)
>
> But, NetBSD the base system has made the choice not to do that.  This is
> not fundamentally different from "sshd should be listening by default
> and allow root logins without a password, because its convenient" (but a
> huge difference in degree, I realize).

Who cares.  The result is unworkable.

Every time I try to build / install / use git (to pull pkgsrc.git or
netbsd.git) on a fresh NetBSD install I end up tripping over an
obscure error about no trust (and not even the tiniest bread crumb).

Searching for a solution turns up:

- most likely, and unfortunately: how to cripple the tool's
certificate check ...
or
- if you're really lucky: how to install the Mozilla root certs using ...

I always thought it was a bug that would be fixed in the next update.
Guess I'm wrong :-(

Even http://wiki.netbsd.org/pkgsrc/how_to_use_pkgsrc/ forgets to
mention this tiny tiny detail.

Andrew

References:
- Re: How to handle updates to mozilla-rootcerts?
  - From: Greg Troxel
- Re: How to handle updates to mozilla-rootcerts?
  - From: Jonathan Perkin
- Re: How to handle updates to mozilla-rootcerts?
  - From: Greg Troxel
- Re: How to handle updates to mozilla-rootcerts?
  - From: Havard Eidnes
- Re: How to handle updates to mozilla-rootcerts?
  - From: Greg Troxel

Prev by Date: Re: guile20 does not build
Next by Date: Re: How to handle updates to mozilla-rootcerts?
Previous by Thread: Re: How to handle updates to mozilla-rootcerts?
Next by Thread: Re: How to handle updates to mozilla-rootcerts?
Indexes:

Home | Main Index | Thread Index | Old Index