Re: Problem cloning at GitHub using HTTPS

[Greg Troxel <gdt%lexort.com@localhost>]

Jeffrey Walton <noloader%gmail.com@localhost> writes:

> How can I configure pkg_add to do all the extra work? Users should not
> have to do this stuff manually. The man page does not discuss these
> extra steps.

Not sure what man page you are referring to, but the issue of default
trust anchors is not an easy one.  One person's "just works" is
another's security failure by allowing validation of certificates signed
by CAs they view as untrustworthy.   There is significant history of bad
CA behavior.

I have just updated DESCR for the mozilla-rootcerts and
mozilla-rootcerts-openssl to explain the situation.  Basically, pkgsrc
is currently respecting the base system trust anchor policy, and
provides mozilla-rootcerts-openssl to configure openssl (base system or
pkgsrc, whichever is used by pkgsrc packages).

This issue has arisen because various programs have enabled validation
of certificates relatively recently.

> CA is 2020. I am a firm believer the tools should do the work for me.
> I don't work for the tools.

In 2020, the public CA situation is still not really ok.  Let me know
when you've fixed that :-)