Martin Husemann <martin%duskware.de@localhost> writes: > On Tue, Jul 20, 2021 at 02:58:21PM +0200, Rhialto wrote: >> Some package systems have the concept of "recommended" or "suggested" >> packages. If we had that, such dependencies could be expressed that >> way. > > I think (as Greg said) it is an issue with the NetBSD base system and should > be solved there. Main problem is to agree on the set of trusted CAs and > having a proper way to update that set. > > If someone solves the set + infrastructure, I'll hapilly deal with > build + install issues ;-) > > Does anybody know what exact differences in trusted CAs other open source > OSes use? My impression is that everybody who does preconfigured trust anchors uses the Mozilla set. I am not clear on how many people believe "every member of the mozilla set is trustworthy". It seems like tricky, unpleasant and dangerous business to deviate from the mozilla set. So I lean to a question in the installer (and a command-line program) to configure and deconfigure those, and not just silently doing it. I don't see why prestaging mozilla-rootcerts-openssl and mozilla-rootcerts packages is bad, but one could also have the same code/contents in base vs pkgsrc and not drag in anything pkgsrc, which seems better.
Attachment:
signature.asc
Description: PGP signature