From owner-freebsd-gecko@FreeBSD.ORG  Thu Nov 20 10:35:15 2014
Return-Path: <owner-freebsd-gecko@FreeBSD.ORG>
Delivered-To: gecko@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id D9CAA9EC
 for <gecko@FreeBSD.org>; Thu, 20 Nov 2014 10:35:15 +0000 (UTC)
Received: from mail.modirum.com (mail.modirum.com [31.185.27.10])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 99E17315
 for <gecko@FreeBSD.org>; Thu, 20 Nov 2014 10:35:14 +0000 (UTC)
Received: from [134.90.150.194] (helo=[192.168.3.161])
 by mail.modirum.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
 (Exim 4.80.1 (FreeBSD)) (envelope-from <eirik.overby@modirum.com>)
 id 1XrOkE-000FnK-TD; Thu, 20 Nov 2014 10:13:46 +0000
From: =?utf-8?Q?Eirik_=C3=98verby?= <eirik.overby@modirum.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Subject: FreeBSD Port: security/ca_root_nss
Date: Thu, 20 Nov 2014 11:13:46 +0100
Message-Id: <E7ABE385-D4FA-4AD1-9F49-AB8CE37917D2@modirum.com>
To: gecko@FreeBSD.org
Mime-Version: 1.0 (Mac OS X Mail 8.0 \(1990.1\))
X-Mailer: Apple Mail (2.1990.1)
X-SA-Authenticated: Yes
X-SA-Exim-Connect-IP: 134.90.150.194
X-SA-Exim-Mail-From: eirik.overby@modirum.com
X-SA-Exim-Scanned: No (on mail.modirum.com); SAEximRunCond expanded to false
Cc: Espen Tagestad <espen.tagestad@modirum.com>
X-BeenThere: freebsd-gecko@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Gecko Rendering Engine issues <freebsd-gecko.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-gecko>,
 <mailto:freebsd-gecko-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-gecko/>
List-Post: <mailto:freebsd-gecko@freebsd.org>
List-Help: <mailto:freebsd-gecko-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-gecko>,
 <mailto:freebsd-gecko-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Nov 2014 10:35:15 -0000

Hi,

we just had our package distribution severely broken by the recent =
change in ca_root_nss that installs a cert.pem symlink in =
/usr/local/etc/ssl by default, with no option to disable during build =
time. Since system fetch (and other tools) defaults to reading the file =
from /usr/local/etc/ssl before /etc/ssl, this effectively got all our =
systems stranded, unable to install/update packages.

I see this was discussed on the freebsd-security list, but unfortunately =
I did not have time to follow the full discussion (trusting the =
conclusion would be, like before, to allow the sysadmin to decide whom =
to trust), and therefore did not realise this would be the outcome.

I'm sure I'm bikeshedding now, but to me this seems like something that =
_should_ have been a build-time option, that _should_ have defaulted to =
disabled, and that _really_should_ have been mentioned in UPDATING as it =
breaks all kinds of stuff - either by things suddenly not working, or by =
introducing security problems (I really REALLY do not want to trust any =
3rd party when it comes to where I fetch my built packages from, for =
instance).

Apologies if this email seems a bit edgy - it would be because I've just =
spent quite a few hours trying to figure out what on earth just =
happened... ;-)

Wbr
Eirik =C3=98verby=