tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Shipping SSL certificates in the base system

The question of root certificates for OpenSSL in base came up recently in pkgsrc. That got me thinking: why does NetBSD not come with a set of certificates in the base system? The set that mozilla-rootcerts delivers would be a reasonable thing to put there, because 
(a) that’s what literally everyone ends up installing anyway and 
(b) it does not require us to make a moral judgement about individual CAs.

This would have the advantage of no longer requiring to install mozilla-rootcerts explicitly. This removes one source of confusion too; for a n00b, it is not obvious that this is necessary, or why. Thus, it would be a sane default.

Disadvantage: the script that takes the file from mozilla and munges it is in Perl. But its _output_ could be checked in instead, so that the script does not need to be run during a build. (There might also be issues around licensing, but I defer to others for that.)

agc made the argument that including certificates is similar to including time zone data, which we do. We do not tell users to install a package to use non-UTC timezones, for instance.

What do you think?


Home | Main Index | Thread Index | Old Index