Jason Bacon <outpaddling%yahoo.com@localhost> writes: > I like the idea of a trust anchors variable in mk.conf. Whenever > there's good reason to have different views, let the end-user decide. > I would add a question to auto-pkgsrc-setup so the issue is dealt with > during setup as the user sees fit. I think it's reasonable in concept for pkgsrc to configure pkgsrc openssl to somehow adopt the trust anchors of the base system. But, that's pretty tricky since one might expect it to track, and that might mean making etc/openssl/certs a symlink, and that seems likely to have unintended consequences. So I think where I am is that I'm willing to review a concrete proposal to do something, but I'm not sure how I'll respond once I see the discussion of the edge cases, and I also don't expect an easy consensus. (I do expect to quickly say that any proposal doesn't explain well enough what happens in various situations, and to keep being difficult like that until it's understood and only then address the issue on its merits. I expect this to be pretty difficult, and as it solves a problem I don't have, am not eager to work on it.)
Attachment:
signature.asc
Description: PGP signature