This is a difficult question. The idea that one's system will have
Benny Siegert <bsiegert%gmail.com@localhost> writes:
> On Sat, Dec 7, 2013 at 2:18 AM, Makoto Fujiwara <makoto%ki.nu@localhost> wrote:
>> To process this part properly, following steps are necessary (I believe),
>> (1) # pkg_add mozilla-rootcerts (not if DEPENDS in Makefile)
>> and after reading 'pkg_info -D mozilla-rootcerts' or so,
>> (2) # mozilla-rootcerts install
>
> I have argued in the past for automatically doing the "install" step,
> as the package is basically useless otherwise. But there has been
> resistance from people saying that certificate lists are config files
> and should be installed manually by the administrator.
>
> Personally, I believe that this represents a non-obvious hoop to jump
> through for a normal user. Probably 90% of people who install the
> mozilla-rootcerts package do not care about any of these subtleties,
> they just want the damn certificate warnings to go away.
>
> (This is why I wrote the install mode, by the way. Before that, the
> instructions were like "just execute these ten simple commands".)
additional trust anchors (for all programs that use openssl) because one
installed some random package that one didn't even think about whethet
it uses ssl is nonobvious and surprising from a security viewpoint.
Perhaps NetBSD's base system should have configured trust anchors
instead; this isn't really about pkgsrc. Or perhaps we don't want to
and we want to make users think about which CAs they trust. So I tend
to think that the approach of not having programs depend on
mozilla-rootcerts is better, and "how to think about what to do about
trust anchors" is really part of system setup (or is part of the
system).
I wouldn't mind if mozilla-rootcerts does the install step
automatically. But then I think we should have a rule that packages may
not depend on it, so it only gets installed intentionally.
The underlying problem is that the entire SSL/CA ecosystem is goofy (the
many-CA, failure of any of which leads to compromise situation, not the
PKIX protocols).
The idea that we configure trust anchors to hide warnings, and we're not
talking about security issues is a clue as to how bad the situation is.
Certainly programs that don't like annoying warnings could perhaps
configure them off, but presumably there is some intent to get the
security properties SSL promises (but doesn't really deliver on).
We avoid this issue in firefox (or rather, delegate it to mozilla) by
having mozilla use it's own configured list of trust anchors rather than
the system ones. On Mac, the system keychain comes preconfigured with a
vast number of CAs, and wget from pkgsrc seems to use that system
keychain.
I am curious what the other BSDs and Linux systems do.