Re: How to handle updates to mozilla-rootcerts?

To: Greg Troxel <gdt%lexort.com@localhost>
Subject: Re: How to handle updates to mozilla-rootcerts?
From: Jonathan Perkin <jperkin%joyent.com@localhost>
Date: Thu, 19 Apr 2018 07:24:48 +0100

* On 2018-04-18 at 23:46 BST, Greg Troxel wrote:

>   The idea that you install some random package and as a side effect the
>   set of configured system trust anchors changes is not ok.  So we
>   either need some explicit user choice to let mozilla-rootcerts control
>   system trust anchors, or a rule that it can't be a dependency.

Could someone explain why this isn't ok?  I'll admit I don't really
understand why people have issues with this.  My vague understanding
is that some folks don't trust all of the CAs bundled in this package
and go through and weed out the ones they don't like, but then what do
they do about domains that are signed by that CA?

If it's only a small minority of people who do this, then it seems
unfair to ruin everyone else's experience, when those who do have such
concerns are likely technical enough to implement a post-install way
of doing the pruning or setting a build flag or whatever without
affecting users who just want HTTPS to work out of the box.

-- 
Jonathan Perkin  -  Joyent, Inc.  -  www.joyent.com

Follow-Ups:
- Re: How to handle updates to mozilla-rootcerts?
  - From: Greg Troxel
- Re: How to handle updates to mozilla-rootcerts?
  - From: Martin Husemann

References:
- How to handle updates to mozilla-rootcerts?
  - From: Havard Eidnes
- Re: How to handle updates to mozilla-rootcerts?
  - From: Greg Troxel

Prev by Date: Re: How to handle updates to mozilla-rootcerts?
Next by Date: Re: How to handle updates to mozilla-rootcerts?
Previous by Thread: Re: How to handle updates to mozilla-rootcerts?
Next by Thread: Re: How to handle updates to mozilla-rootcerts?
Indexes:

Home | Main Index | Thread Index | Old Index