On 2023-08-20 08:12, Taylor R Campbell wrote: [---]
Rhetorical Devil's advocate question: What's the potential blast radius for the worst case scenario where a CA's private key is compromised before its certificate expires and a bunch of NetBSD users don't update their bundle for two years?This is no different from any other security issue on a machine on the internet.
The reason I "like" (probably not the right word..) the "user needs to explicitly do something to get the CA bundle there in the first place" is because it's sort-of like a clicking "I agree" to something. Maybe you didn't actually read the agreement, but at least you've been made aware that there is one.
Implicitly installing a CA bundle in a system to make things work is nice, but it hides the fact that there is something there one ought to care about [and make sure is kept up to date].
It is different in the sense that in the very unlikely event of a CA related meltdown, previously $OTHER_PROJECT/$MACHINE_OWNER would be in the headlines, not the NetBSD project.
But this is so hypothetical that it's not a reason to object. I just wanted it brought up so no one can say that the discussions hadn't been had.
I say go for it. -- Kind Regards, Jan