RFC: Proposal: Install a /etc/ssl/cert.pem by default?
John-Mark Gurney
jmg at funkthat.com
Fri Jul 4 15:40:23 UTC 2014
Jonathan Anderson wrote this message on Fri, Jul 04, 2014 at 10:00 -0230:
> John-Mark Gurney wrote:
> >Dan Lukes wrote this message on Thu, Jul 03, 2014 at 02:26 +0200:
> >>If I consider a CA to be trustworthy, I will insert it's certificate to
> >>trusted store. No one is welcomed to make such decision in behalf of me.
> >
> >As others have said, you can customize FreeBSD how you want.. There
> >is no, we will uninstall FreeBSD if you uninstall (or set WITHOUT_xxx)
> >on your FreeBSD system...
>
>
> So we agree that customization is required, the question is what a user
> has to do to effect this customization:
>
> 1. install a package (possibly included on the install media), or
> 2. set WITHOUT_MOZILLA_CA_BUNDLE and rebuild FreeBSD.
3. rm /etc/ssl/cert.ca
> To me, the approach that doesn't require "rebuild FreeBSD" is the
> simpler one.
>
> It also doesn't require a Security Advisory every time a CA gets dropped
> from Mozilla's bundle (which ought to happen a lot). Ports get updated,
> people get that. I don't think we should introduce things in the base
> system that we *know* will require SAs, freebsd-update, etc.
But don't we want people to get in the habit of patching/addressing
security issues? As far as this one is to address, it's easy...
manually fetch and install this file... A lot easier than most SA's
to address by hand if you're not using freebsd-update..
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
More information about the freebsd-security
mailing list