Date: Sun, 16 Sep 2018 18:54:30 +0200 From: Kurt Jaeger <pi@freebsd.org> To: tech-lists <tech-lists@zyxst.net> Cc: Glen Barber <gjb@freebsd.org>, "Montgomery-Smith, Stephen" <stephen@missouri.edu>, "freebsd-stable@freebsd.org" <freebsd-stable@freebsd.org> Subject: Re: Error validating server certificate Message-ID: <20180916165430.GG2118@home.opsec.eu> In-Reply-To: <03f42d93-57b0-062d-0fee-720c6444e58c@zyxst.net> References: <f168a02e-8959-aa91-2190-8fbe6d61e07b@missouri.edu> <20180912143719.GQ24641@FreeBSD.org> <03f42d93-57b0-062d-0fee-720c6444e58c@zyxst.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi! > > You will not see this if you install the security/ca_root_nss port. > Why is security/ca_root_nss not present in base? There are several reasons: - The project is hesistant to endorse certificate authorities (CAs), as some of them might be (or become) of questionable trust-worthyness during the lifetime of a release and adding/changing all or some to base would add workload to decide which ones to include or to exclude. - The amount of work to cut a new release or a patch for a release is large. If you look at the update frequency for the port: https://www.freshports.org/security/ca_root_nss/ it would burden the project with base updates just for the CAs. - Some suggested that the FreeBSD project should operate its own CA and issue certs for project sites and include the CA into base. Running and securing a CA is not a simple endeavour so we hesitated to do so. > I mean, on a brand new install, one goes to update the sources, and just > the sources. And this error is issued? > > I think it looks bad. Do you agree? Yes, we all agree that it looks bad, but we have not yet found a simple, workable solution. Yes, it was discussed many times in the past. -- pi@FreeBSD.org +49 171 3101372 2 years to go !
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180916165430.GG2118>