Re: security/mozilla-rootcerts-openssl post certificate inclusion in base

[Chavdar Ivanov <ci4ic4%gmail.com@localhost>]

On Tue, 26 Sept 2023 at 12:21, Greg Troxel <gdt%lexort.com@localhost> wrote:
>
> Chavdar Ivanov <ci4ic4%gmail.com@localhost> writes:
>
> > lack cause anything? On top of this, I seem not to be able to remove
> > mozilla-rootcerts-openssl, as it is required by hs-x509-system, itself
> > required eventually by converters/pandoc. (I sorted this out by
>
> That's a bug.  It is against policy for a package to require
> mozilla-rootcerts-openssl.
>
> > replacing the latter package after cvs updating - the NetBSD
> > condiitional in the Makefile has been removed so after that nothing
> > stopped me from removing mozilla-rootcerts-openssl; leaving the
> > comments in the mail as someone else may find himself in the same
> > situation).
>
> And it's fixed.

sure,

>
> > The query is then about the 198 certificates present in the package
> > but missing in base - are they likely to cause any problems?
>
> I would uninstall mozilla-rootcerts-openssl and then make sure your cert
> dir is ok.
>
> Are you saying that mozilla-rootcerts-openssl has CAs that base does
> not, separately from the history of how your system got be how it is?

I just did a clean installation of -current from yesterday. This
leaves /etc/openssl/certs with one single file and 280 links to files
and links is /usr/share/certs/mozilla. However, the real files in that
directory are 170 - exactly the number of real files in the package
(which contains 169 links and 170 files). As the number of files
appears the same, I'd say that base provides what is needed, even if
it looks much different... I will replace /etc/openssl/certs on my
historical system with the contents from the cleanly installed one,
that should do the job. I believe no other package should have added
anything there.

The confusion was created by the package which was still dependent on
mozilla-rootcerts-openssl at the time of invoking 'pkg_admin rebuild'
prior to pkg_rolling-replace.

There are other small bits which can cause trouble - e.g. my
yesterday's -current works just fine (as a VMWare Workstation guest),
but when I selected the option of setting up pkgin during the
installation (my build host serves it locally via ftp), it did all the
setting up but could not actually invoke pkgin - as it was missing
/usr/lib/libarchive.so.4.0 - the system now has 5.0 and pkgin was
still not updated - I was about to start the rolling replace. I copied
the older version onto the new system until the rolling replace
completes on the build one. It is -current, after all; I build it
usually every two weeks or so and it usually is very stable, but one
has to be prepared to deal with such issues from time to time.





-- 
----