pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Depending on security/ca-certificates?

On Mon, Jul 19, 2021 at 12:40:38PM -0400, Greg Troxel wrote:
This is slightly messy and there isn't 100% consensus.
[ lots of useful information snipped ]

One view is that the admin has failed to configure the set of trust
anchors that they want to trust, and that this isn't bug in your
package, but a feature that CAs that the admin hasn't approved aren't
being used.   That's more or less how I see it.

Yes, true. One obvious downside of that approach (as others have noted) is
that lots of software that uses TLS doesn't work "out the box". And
searching online for, eg, git not trusting a certificate could lead to the "GIT_SSL_NO_VERIFY" workaround, which is not ideal.

Having read all that, I think that packages absolutely must not depend
on ca-certificates, because then installing some random package
indirectly causes a change in systemwide security settings.   We more or
less came to this conclusion about mozilla-rootcerts-openssl.

Yes, that makes sense. I've removed the dependency.

pkgsrc has more or less taken the view that choice of trust anchors is
up to the base system config and sysadmin decisions, and pretty clearly
taken the view that it is not up to individual packages to change these
decisions, although mozilla-rootcerts-openssl is provided as a tool for
admins to make that policy choice.

That makes sense and (IMHO) that's a sane policy. Has the decision not to
add default trust anchors in the base system been discussed/reviewed
recently? It would be rather useful if pkg_add/pkgin could support https
out the box... Both OpenBSD and FreeBSD ship with a set of trusted CAs (I'm
assuming derived mostly from the Mozilla list, although I haven't dug into
it in any detail).

Thanks for the very detailed response - much appreciated.

Cheers, MJ
Michael-John Turner * *

Home | Main Index | Thread Index | Old Index