[Bug 230414] security/py-certifi: add option to use certificate bundle from ca_root_nss

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Tue Aug 7 11:29:59 UTC 2018 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=230414

Kubilay Kocak <koobs at FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|maintainer-feedback?(sergey |
                   |@akhmatov.ru)               |

--- Comment #4 from Kubilay Kocak <koobs at FreeBSD.org> ---
(In reply to Sergey Akhmatov from comment #2)

I wouldn't say anyone is strictly against anything, particularly since this is
a specific (third-party ecosystem) case without an obvious policy/guideline. 

Having said that, not being against something doesn't automatically or
necessarily mean being pro/for position a change either.

For what it's worth, it's good to have references to other OS's making similar
changes.

I think this ultimately boils down to the distinction you make in your 'main
point', which I understand and agree with.

It's one thing to want to extend a provided trust store (1), its another
entirely to switch out a specific set with another set ((2), what is proposed
here).

Also, if I understand correctly, switching certifi's store out for that
provided by security/ca_root_nss, would be the first step to getting the
desired feature of local extensions to that store, via bug 160387. I don't
think doing (2), in order to achieve (1) is the right approach.

While I understand the value of the feature being described, I also believe
that with the above context, the most important thing here is still
user-expectation, and principle of least astonishment. Users/developers
installing certifi would expect to get the certs/store/trust model the
documentation of certifi stipulates, unless options provided (officially) by
that package allowed otherwise.

I would still recommend making the case for the added value of the
"extend-certifi-store" feature to upstream.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.

More information about the freebsd-python mailing list