Jason Bacon <outpaddling%yahoo.com@localhost> writes:
I like the idea of a trust anchors variable in mk.conf. Whenever
there's good reason to have different views, let the end-user decide.
I would add a question to auto-pkgsrc-setup so the issue is dealt with
during setup as the user sees fit.
I think it's reasonable in concept for pkgsrc to configure pkgsrc
openssl to somehow adopt the trust anchors of the base system. But,
that's pretty tricky since one might expect it to track, and that might
mean making etc/openssl/certs a symlink, and that seems likely to have
unintended consequences.
So I think where I am is that I'm willing to review a concrete proposal
to do something, but I'm not sure how I'll respond once I see the
discussion of the edge cases, and I also don't expect an easy consensus.
(I do expect to quickly say that any proposal doesn't explain well
enough what happens in various situations, and to keep being difficult
like that until it's understood and only then address the issue on its
merits. I expect this to be pretty difficult, and as it solves a
problem I don't have, am not eager to work on it.)