RFC: Proposal: Install a /etc/ssl/cert.pem by default?
Jonathan Anderson
jonathan at FreeBSD.org
Fri Jul 4 12:30:33 UTC 2014
John-Mark Gurney wrote:
> Dan Lukes wrote this message on Thu, Jul 03, 2014 at 02:26 +0200:
>> If I consider a CA to be trustworthy, I will insert it's certificate to
>> trusted store. No one is welcomed to make such decision in behalf of me.
>
> As others have said, you can customize FreeBSD how you want.. There
> is no, we will uninstall FreeBSD if you uninstall (or set WITHOUT_xxx)
> on your FreeBSD system...
So we agree that customization is required, the question is what a user
has to do to effect this customization:
1. install a package (possibly included on the install media), or
2. set WITHOUT_MOZILLA_CA_BUNDLE and rebuild FreeBSD.
To me, the approach that doesn't require "rebuild FreeBSD" is the
simpler one.
It also doesn't require a Security Advisory every time a CA gets dropped
from Mozilla's bundle (which ought to happen a lot). Ports get updated,
people get that. I don't think we should introduce things in the base
system that we *know* will require SAs, freebsd-update, etc.
Jon
--
Jonathan Anderson
jonathan at FreeBSD.org
More information about the freebsd-security
mailing list