Hauke Fath <hf%spg.tu-darmstadt.de@localhost> writes: >> Take a look at >> >> security/mozilla-rootcerts >> security/mozilla-rootcerts-openssl >> >> It will not install these for you, and I think that's fine too. > > It is not, in that a 'make' (or even 'make clean') for a git based > package accessing the repository via SSL will error out, and you get to > find out that (and how) you have to provide git with an SSL cert store. The basic problem is that the underlying way PKI works in the real world is unsound (one is expected to configure ~100 CAs as trust anchors). Some systems preload these, and NetBSD has chosen not to, in order to leave security-critical decisions to the user. We should review which tools insist on a validated path for https fetch, and whether we think it's reasonable for them to fail. Then whether pkgsrc should insist on certificate chain validation. Arguably it need not, because we have hashes for distfiles. So perhaps fetches using curl should all disable cert path checking. Turning it off per package doesn't make sense. That's kind of like setting FETCH_USING because the system ftp doesn't support https, and we decided not to do that.
Description: PGP signature