tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Does mozilla-rootcerts-openssl need to be unconditionally NOT_FOR_UNPRIVILEGED?

Jason Bacon <> writes:

> Perhaps security/mozilla-rootcerts-openssl should be a run dependency
> for www/curl?  As ubiquitous as https is now, anyone using curl will
> probably have to install mozilla-rootcerts-openssl anyway.

So far, we have taken the position that NetBSD base does not install
trust anchors by default, and that choosing trust anchors is a decision
by a system administrator, not someone editing a package.

I would say that if we want to revisit this, we should have a pkgsrc
default with a variable, and have it not be related to any particular

Arguably, this is all coming up because curl and wget are now defaulting
to validating certificates rather than not.  But it's not clear excctly
how different not validating is compared to adding 100 trust anchors.
(Yes, I realize it's different - my point is that 100 trust anchors
leads to quite a lot of exposure.)

Home | Main Index | Thread Index | Old Index