Date: Thu, 03 Jul 2014 12:27:13 -0230 From: Jonathan Anderson <jonathan@FreeBSD.org> To: Bryan Drewery <bdrewery@FreeBSD.org> Cc: d@delphij.net, Ben Laurie <benl@freebsd.org>, gecko@FreeBSD.org, freebsd-security@FreeBSD.ORG, FreeBSD Ports Management Team <portmgr@FreeBSD.org>, re <re@freebsd.org>, Jung-uk Kim <jkim@freebsd.org> Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default? Message-ID: <53B56F49.7030109@FreeBSD.org> In-Reply-To: <53B4B7FB.6070407@FreeBSD.org> References: <53B499B1.4090003@delphij.net> <53B4B7FB.6070407@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Bryan Drewery wrote: > libfetch will now look in /usr/local/etc/ssl/ before /etc/ssl. How very sensible! > I like the idea of secteam maintaining a ca-root-freebsd.pem even > better, as long as you are willing to. Just my $.02, but if the FreeBSD project is to maintain a ca-root-freebsd.pem, I think it should have one certificate in it: the root FreeBSD Project cert. Beyond that, I'm not willing to vouch for the trustworthiness of any CA, and I don't think the Project should either. Let people install CA bundles from packages, even give admins the choice of "the Mozilla bundle" vs "Dr Guru's paranoid bundle" vs whatever, but I don't think the Project should be in the business of endorsing any particular CA in the base system. > IMHO always install it, don't depend on MK_OPENSSL. Is the file actually > specific to OpenSSL? Ports would love to have it be available all the > time regardless of SSL library choices. Or we could patch the OpenSSL port to use /usr/local/etc/ssl too? Jon -- Jonathan Anderson jonathan@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53B56F49.7030109>