pkgsrc-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: How to handle updates to mozilla-rootcerts?
On 23 April 2018 at 20:39, Greg Troxel <gdt%lexort.com@localhost> wrote:
>>> So far, NetBSD has chosen not to install trust anchors in the system
>>> openssl. You can view this as a cop-out for not dealing, or taking the
>>> high road and separating policy from mechanism, but that's how it is
>>> today. Other systems seem to have varying approaches, and I'm not clear
>>> on exactly which ones take which paths. To avoid getting into
>>> validating CAs, it seems an OS should choose between 1) none and 2) the
>>> mozilla list.
>>
>> Right. This is what motivates the existence of the mozilla-
>> rootcerts package, which is also fine.
>>
>>> As for weeding out CAs, I don't really know how people typically choose.
>>> The issue is not so much domains signed by untrusted CAs, as that having
>>> an untrusted CA in the trust anchor set means that if a cert for some
>>> other domain is presented, it will be believed.
>>
>> I suspect that most folks are not aware that they have the option to
>> pick and choose from the mozilla-rootcerts list, they merely know of
>> "none" and "the mozilla list". I suspect that the group of people
>> who want to be picky wrt. which CAs they trust are in the ignorable
>> minority with respect to how pkgsrc should deal with this, i.e. they
>> can probably be left to craft their own setups -- we should however
>> cater for the "typical". (Sure, if this can be made sufficiently
>> flexible to also optionally cater to special needs, that's fine
>> too.)
>
> But, NetBSD the base system has made the choice not to do that. This is
> not fundamentally different from "sshd should be listening by default
> and allow root logins without a password, because its convenient" (but a
> huge difference in degree, I realize).
Who cares. The result is unworkable.
Every time I try to build / install / use git (to pull pkgsrc.git or
netbsd.git) on a fresh NetBSD install I end up tripping over an
obscure error about no trust (and not even the tiniest bread crumb).
Searching for a solution turns up:
- most likely, and unfortunately: how to cripple the tool's
certificate check ...
or
- if you're really lucky: how to install the Mozilla root certs using ...
I always thought it was a bug that would be fixed in the next update.
Guess I'm wrong :-(
Even http://wiki.netbsd.org/pkgsrc/how_to_use_pkgsrc/ forgets to
mention this tiny tiny detail.
Andrew
Home |
Main Index |
Thread Index |
Old Index