Darren J Moffat wrote: > Brian Cameron wrote: >> >> LSARC: >> >> The case materials have been updated to reflect that HTTPS support >> will be disabled. See attached updated onepager and a diff file >> that shows the differences between this version of the onepager and >> the previous version. > > I'm comeing to this issue late. However I disagree with disabling > HTTPS support for the reasons that were given. > > This is a toolkit it isn't an end application. Doing this disabling > of HTTPS makes us unnecessarily different to other platforms that > provide WebKit. > > If the issue is just that OpenSolaris doesn't have set of well known > (ie the big public CA's) SSL trust anchors then lets fix that problem > - it is actually known and is being addressed by the solaris security > team. > We shouldn't punish projects like this for that deficiency, > particularly since it is possible for the admin/developer to rectify > the situation. > > Also this is really no different several other similar cases with SSL. > > If HTTPS is not enabled then I will derail this case and call for a vote. >
I don't think the only issue is the lack of a handy, well known cert repository; the fact that the underlying implementation doesn't validate properly would probably surprise folks. The choices that I saw were: a) Deliver with HTTPS disabled by default. Principle of least astonishment. b) Deliver with (incomplete and ostensibly unsafe) HTTPS enabled by default. If you're insisting on B, how do you advise managing the gap? Log a bug? Document a warning? Assume developers will be diligent or just know?
