Re: Does mozilla-rootcerts-openssl need to be unconditionally NOT_FOR_UNPRIVILEGED?

[Greg Troxel <gdt%lexort.com@localhost>]

Jason Bacon <outpaddling%yahoo.com@localhost> writes:

> If we're going to adhere to that policy at the expense of common tools
> not working out-of-the-box, maybe there's something else we can do for
> curl users like patch in a user-friendly message stating that it's a
> security policy and suggesting mozilla-rootcerts-openssl when this
> type of failure occurs.

"working" and "good security properties" are two different things, and
different people have difference opinions.

If you want to bring up on tech-pkg that pkgsrc should by default force
the mozilla root certs to be installed whenever *any package* that uses
openssl is installed, we can have that discussion.  I think it's got to
be either "this is the pkgsrc way" or "this is not the pkgsrc way" for
automatic (with a user tunable since obviously if we change not
everybody is ok with that), and that "I installed R and now my trust
anchors have changed" is madness (for any value of R :-).