[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Shipping SSL certificates in the base system
The question of root certificates for OpenSSL in base came up recently in pkgsrc. That got me thinking: why does NetBSD not come with a set of certificates in the base system? The set that mozilla-rootcerts delivers would be a reasonable thing to put there, because
(a) that’s what literally everyone ends up installing anyway and
(b) it does not require us to make a moral judgement about individual CAs.
This would have the advantage of no longer requiring to install mozilla-rootcerts explicitly. This removes one source of confusion too; for a n00b, it is not obvious that this is necessary, or why. Thus, it would be a sane default.
Disadvantage: the script that takes the file from mozilla and munges it is in Perl. But its _output_ could be checked in instead, so that the script does not need to be run during a build. (There might also be issues around licensing, but I defer to others for that.)
agc made the argument that including certificates is similar to including time zone data, which we do. We do not tell users to install a package to use non-UTC timezones, for instance.
What do you think?
Main Index |
Thread Index |