Benny Siegert <bsiegert%gmail.com@localhost> writes: > On Sat, Dec 7, 2013 at 2:18 AM, Makoto Fujiwara <makoto%ki.nu@localhost> > wrote: >> To process this part properly, following steps are necessary (I believe), >> (1) # pkg_add mozilla-rootcerts (not if DEPENDS in Makefile) >> and after reading 'pkg_info -D mozilla-rootcerts' or so, >> (2) # mozilla-rootcerts install > > I have argued in the past for automatically doing the "install" step, > as the package is basically useless otherwise. But there has been > resistance from people saying that certificate lists are config files > and should be installed manually by the administrator. > > Personally, I believe that this represents a non-obvious hoop to jump > through for a normal user. Probably 90% of people who install the > mozilla-rootcerts package do not care about any of these subtleties, > they just want the damn certificate warnings to go away. > > (This is why I wrote the install mode, by the way. Before that, the > instructions were like "just execute these ten simple commands".) This is a difficult question. The idea that one's system will have additional trust anchors (for all programs that use openssl) because one installed some random package that one didn't even think about whethet it uses ssl is nonobvious and surprising from a security viewpoint. Perhaps NetBSD's base system should have configured trust anchors instead; this isn't really about pkgsrc. Or perhaps we don't want to and we want to make users think about which CAs they trust. So I tend to think that the approach of not having programs depend on mozilla-rootcerts is better, and "how to think about what to do about trust anchors" is really part of system setup (or is part of the system). I wouldn't mind if mozilla-rootcerts does the install step automatically. But then I think we should have a rule that packages may not depend on it, so it only gets installed intentionally. The underlying problem is that the entire SSL/CA ecosystem is goofy (the many-CA, failure of any of which leads to compromise situation, not the PKIX protocols). The idea that we configure trust anchors to hide warnings, and we're not talking about security issues is a clue as to how bad the situation is. Certainly programs that don't like annoying warnings could perhaps configure them off, but presumably there is some intent to get the security properties SSL promises (but doesn't really deliver on). We avoid this issue in firefox (or rather, delegate it to mozilla) by having mozilla use it's own configured list of trust anchors rather than the system ones. On Mac, the system keychain comes preconfigured with a vast number of CAs, and wget from pkgsrc seems to use that system keychain. I am curious what the other BSDs and Linux systems do.
Attachment:
pgp7HzP9hjJrE.pgp
Description: PGP signature