Re: Does mozilla-rootcerts-openssl need to be unconditionally NOT_FOR_UNPRIVILEGED?

[Greg Troxel <gdt%lexort.com@localhost>]

Jason Bacon <outpaddling%yahoo.com@localhost> writes:

> Perhaps security/mozilla-rootcerts-openssl should be a run dependency
> for www/curl?  As ubiquitous as https is now, anyone using curl will
> probably have to install mozilla-rootcerts-openssl anyway.

So far, we have taken the position that NetBSD base does not install
trust anchors by default, and that choosing trust anchors is a decision
by a system administrator, not someone editing a package.

I would say that if we want to revisit this, we should have a pkgsrc
default with a variable, and have it not be related to any particular
package.

Arguably, this is all coming up because curl and wget are now defaulting
to validating certificates rather than not.  But it's not clear excctly
how different not validating is compared to adding 100 trust anchors.
(Yes, I realize it's different - my point is that 100 trust anchors
leads to quite a lot of exposure.)