Jonathan Anderson wrote this message on Fri, Jul 04, 2014 at 10:00 -0230: > John-Mark Gurney wrote: > >Dan Lukes wrote this message on Thu, Jul 03, 2014 at 02:26 +0200: > >>If I consider a CA to be trustworthy, I will insert it's certificate to > >>trusted store. No one is welcomed to make such decision in behalf of me. > > > >As others have said, you can customize FreeBSD how you want.. There > >is no, we will uninstall FreeBSD if you uninstall (or set WITHOUT_xxx) > >on your FreeBSD system... > > > So we agree that customization is required, the question is what a user > has to do to effect this customization: > > 1. install a package (possibly included on the install media), or > 2. set WITHOUT_MOZILLA_CA_BUNDLE and rebuild FreeBSD. 3. rm /etc/ssl/cert.ca > To me, the approach that doesn't require "rebuild FreeBSD" is the > simpler one. > > It also doesn't require a Security Advisory every time a CA gets dropped > from Mozilla's bundle (which ought to happen a lot). Ports get updated, > people get that. I don't think we should introduce things in the base > system that we *know* will require SAs, freebsd-update, etc. But don't we want people to get in the habit of patching/addressing security issues? As far as this one is to address, it's easy... manually fetch and install this file... A lot easier than most SA's to address by hand if you're not using freebsd-update.. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"