Date: Tue, 07 Aug 2018 11:29:57 +0000 From: bugzilla-noreply@freebsd.org To: python@FreeBSD.org Subject: [Bug 230414] security/py-certifi: add option to use certificate bundle from ca_root_nss Message-ID: <bug-230414-21822-ZqeXxYXTyN@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-230414-21822@https.bugs.freebsd.org/bugzilla/> References: <bug-230414-21822@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D230414 Kubilay Kocak <koobs@FreeBSD.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|maintainer-feedback?(sergey | |@akhmatov.ru) | --- Comment #4 from Kubilay Kocak <koobs@FreeBSD.org> --- (In reply to Sergey Akhmatov from comment #2) I wouldn't say anyone is strictly against anything, particularly since this= is a specific (third-party ecosystem) case without an obvious policy/guideline= .=20 Having said that, not being against something doesn't automatically or necessarily mean being pro/for position a change either. For what it's worth, it's good to have references to other OS's making simi= lar changes. I think this ultimately boils down to the distinction you make in your 'main point', which I understand and agree with. It's one thing to want to extend a provided trust store (1), its another entirely to switch out a specific set with another set ((2), what is propos= ed here). Also, if I understand correctly, switching certifi's store out for that provided by security/ca_root_nss, would be the first step to getting the desired feature of local extensions to that store, via bug 160387. I don't think doing (2), in order to achieve (1) is the right approach. While I understand the value of the feature being described, I also believe that with the above context, the most important thing here is still user-expectation, and principle of least astonishment. Users/developers installing certifi would expect to get the certs/store/trust model the documentation of certifi stipulates, unless options provided (officially) by that package allowed otherwise. I would still recommend making the case for the added value of the "extend-certifi-store" feature to upstream. --=20 You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-230414-21822-ZqeXxYXTyN>