From owner-freebsd-security@FreeBSD.ORG  Fri Jul  4 01:13:15 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 04526E50
 for <freebsd-security@freebsd.org>; Fri,  4 Jul 2014 01:13:15 +0000 (UTC)
Received: from mail-qa0-x22c.google.com (mail-qa0-x22c.google.com
 [IPv6:2607:f8b0:400d:c00::22c])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id B205C2A52
 for <freebsd-security@freebsd.org>; Fri,  4 Jul 2014 01:13:14 +0000 (UTC)
Received: by mail-qa0-f44.google.com with SMTP id hw13so836427qab.17
 for <freebsd-security@freebsd.org>; Thu, 03 Jul 2014 18:13:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=eitanadler.com; s=0xdeadbeef;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc:content-type;
 bh=5D/O2pGPv7r1T05qYGzvo7XwovnNjeUMzggXxz4DccA=;
 b=i5+vI6iH96FVZiA7GxzD96oBt2h3yv5NjbLy0ZpwVUIa31LRyECoJUvwemejRjDvRH
 /aEQsTjCgyV2gGZyKLV6f1cyt08oq7LdnlgB++6D+FIY2MZa5yTRoVDU4ln4P+hfDhXY
 5ergkjE1aplxVqTzr+vcnw77tI5r3vC9yQQCs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc:content-type;
 bh=5D/O2pGPv7r1T05qYGzvo7XwovnNjeUMzggXxz4DccA=;
 b=f98qJmpMCsG5cHtuCjsgNB1EzlVOzZOCksBO5DHuxFERecAURWiW9Jk8hOacEeyk0A
 E2+J7y2fRHbNzNZ7F6reNu1TcyNonnURURTj0cEKIzkeqsZPuMD96HmjA9A9K0I27Pi2
 bIY904SjR3uT0UTkYIkTWUJFYy9ZFlNgjgqICcU1Fwc7HhYymbYTcpySD7ONf0zKWBaE
 xihShjVqUtBlxURyInHLUspRoEMAHK7FBdmp6z8A2TyEdgXHJxmGZfpYXr1dHLL9MdwN
 WXVQ9Xn1uq3FAlnG58ziQYQU4IlxoNb6vxDFHDVGC5GJ+9aT6Jg8+M5qqRXCErKvSD0p
 8mqw==
X-Gm-Message-State: ALoCoQnu3etfTh9rEB6qBHGs3iufYo/0sTIu1UPDKUB4ORRejPSa1xI/IR3JiZ8wF+HSc3ypshsG
X-Received: by 10.229.90.196 with SMTP id j4mr13221389qcm.11.1404436393861;
 Thu, 03 Jul 2014 18:13:13 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.96.88.132 with HTTP; Thu, 3 Jul 2014 18:12:43 -0700 (PDT)
In-Reply-To: <53B5FD51.4050309@FreeBSD.org>
References: <53B499B1.4090003@delphij.net> <53B4B7FB.6070407@FreeBSD.org>
 <53B56F49.7030109@FreeBSD.org>
 <CAF6rxgmsoJCnCpnGKUXe0jnPEgGNm3BB_SF73vLOkK5X9pOoPw@mail.gmail.com>
 <20140703221448.GA99094@calvin.ustdmz.roe.ch> <53B5FD51.4050309@FreeBSD.org>
From: Eitan Adler <lists@eitanadler.com>
Date: Thu, 3 Jul 2014 18:12:43 -0700
Message-ID: <CAF6rxg=U+VaDjF9SGc-zPHPYm+D2f0=oLnq1Brh_EkeVv2HNJA@mail.gmail.com>
Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default?
To: Jonathan Anderson <jonathan@freebsd.org>
Content-Type: text/plain; charset=UTF-8
Cc: freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Jul 2014 01:13:15 -0000

On 3 July 2014 18:03, Jonathan Anderson <jonathan@freebsd.org> wrote:
> Put another way, /etc/ssl and /usr/local/etc/ssl are additive, not
> subtractive: we can make it easy for users to install whatever CA bundles
> they like, but if you put a bad CA cert in the base system, I have to
> manually patch the base system, even in environments where I'd rather use
> binary releases and freebsd-update.

Lets turn it into a config file then?   Why does this have to happen
at install time?

We are just dealing with defaults here.  In general, the default
system should Just Work.


-- 
Eitan Adler