Date: Fri, 04 Jul 2014 10:00:29 -0230 From: Jonathan Anderson <jonathan@FreeBSD.org> To: Dan Lukes <dan@obluda.cz>, d@delphij.net, freebsd-security@freebsd.org, gecko@freebsd.org Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default? Message-ID: <53B69E65.7020507@FreeBSD.org> In-Reply-To: <20140704024451.GU45513@funkthat.com> References: <53B499B1.4090003@delphij.net> <53B4A337.3010907@obluda.cz> <CAF6rxgkhXtXCjWGpbcm0UU3Rr57dXJojQJ05Rqe-sQ_Nmyp8KQ@mail.gmail.com> <53B4BFD2.2060903@obluda.cz> <53B499B1.4090003@delphij.net> <53B4A337.3010907@obluda.cz> <20140704024451.GU45513@funkthat.com>
next in thread | previous in thread | raw e-mail | index | archive | help
John-Mark Gurney wrote: > Dan Lukes wrote this message on Thu, Jul 03, 2014 at 02:26 +0200: >> If I consider a CA to be trustworthy, I will insert it's certificate to >> trusted store. No one is welcomed to make such decision in behalf of me. > > As others have said, you can customize FreeBSD how you want.. There > is no, we will uninstall FreeBSD if you uninstall (or set WITHOUT_xxx) > on your FreeBSD system... So we agree that customization is required, the question is what a user has to do to effect this customization: 1. install a package (possibly included on the install media), or 2. set WITHOUT_MOZILLA_CA_BUNDLE and rebuild FreeBSD. To me, the approach that doesn't require "rebuild FreeBSD" is the simpler one. It also doesn't require a Security Advisory every time a CA gets dropped from Mozilla's bundle (which ought to happen a lot). Ports get updated, people get that. I don't think we should introduce things in the base system that we *know* will require SAs, freebsd-update, etc. Jon -- Jonathan Anderson jonathan@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53B69E65.7020507>