Daniel Roethlisberger wrote: > I share your view that there should be functional HTTPS capability in > a base install. I think we're all agreed on that, my point is that the statement "a base install should have a CA bundle by default" does not have to imply "every FreeBSD system must accept a the same CAs". A "base install" is something that's been customized by the installer: we don't all have the same keyboard, we don't all extract a ports tree at install time, so why not make CA bundles part of the install-time customization? Put another way, /etc/ssl and /usr/local/etc/ssl are additive, not subtractive: we can make it easy for users to install whatever CA bundles they like, but if you put a bad CA cert in the base system, I have to manually patch the base system, even in environments where I'd rather use binary releases and freebsd-update. Jon -- Jonathan Anderson [email protected] _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"