Re: Problem cloning at GitHub using HTTPS

[Jeffrey Walton <noloader%gmail.com@localhost>]

On Fri, Mar 27, 2020 at 9:53 AM Greg Troxel <gdt%lexort.com@localhost> wrote:
>
> Jeffrey Walton <noloader%gmail.com@localhost> writes:
>
> > How can I configure pkg_add to do all the extra work? Users should not
> > have to do this stuff manually. The man page does not discuss these
> > extra steps.
>
> Not sure what man page you are referring to, but the issue of default
> trust anchors is not an easy one.  One person's "just works" is
> another's security failure by allowing validation of certificates signed
> by CAs they view as untrustworthy.   There is significant history of bad
> CA behavior.
>
> I have just updated DESCR for the mozilla-rootcerts and
> mozilla-rootcerts-openssl to explain the situation.  Basically, pkgsrc
> is currently respecting the base system trust anchor policy, and
> provides mozilla-rootcerts-openssl to configure openssl (base system or
> pkgsrc, whichever is used by pkgsrc packages).
>
> This issue has arisen because various programs have enabled validation
> of certificates relatively recently.
>
> > CA is 2020. I am a firm believer the tools should do the work for me.
> > I don't work for the tools.
>
> In 2020, the public CA situation is still not really ok.  Let me know
> when you've fixed that :-)

Those who install mozilla-rootcerts accepts the risk. Those who don't
trust the ca zoo will not issue 'pkg_add mozilla-rootcerts' in the
first place.

Are you arguing someone will install mozilla-rootcerts but then _not_
want to use it? That makes no sense.

Jeff