Re: CVS commit: pkgsrc/security/mozilla-rootcerts

[Greg Troxel <gdt%lexort.com@localhost>]

Jonathan Perkin <jperkin%joyent.com@localhost> writes:

> * On 2020-03-27 at 13:33 GMT, Greg Troxel wrote:
>
>> Module Name: pkgsrc
>> Committed By:        gdt
>> Date:                Fri Mar 27 13:33:08 UTC 2020
>> 
>> Modified Files:
>>      pkgsrc/security/mozilla-rootcerts: DESCR
>> 
>> Log Message:
>> mozilla-rootcerts: Extend DESCR
>> 
>> Make it clear that this package does not configure certificates as
>> trust anchors.
>> 
>> Point to mozilla-rootcerts-openssl for actual installation.
>
> I'm not sure this makes things any clearer.  I'm still not fully clear
> on what exactly mozilla-rootcerts-openssl is for, I think it's only
> useful for the case where a user is using builtin openssl?

I used it to configure trust anchors into pkgsrc openssl, on a sytem
where pkgsrc chose pkgsrc openssl (because base was too old).

On one of your systems where openssl is provided by pkgsrc, does
mozilla-rootcerts-openssl work for you?

> For anyone using pkgsrc openssl, they just need to run the
> mozilla-rootcerts install script, for which we already have a MESSAGE,
> which now feels like it's contrary to DESCR.

Basically the mozilla-rootcerts-openssl package runs that command, and
that text (semantically) is from 2011 and predates the
mozilla-rootcerts-openssl package.

I think we should delete MESSAGE then (not right now).  The bit about
gnupg belongs as documentation, not MESSAGE, because it is mere
configuration information and not execptional.  More importantly, the
code should be hoisted into a mozilla-rootcerts-gnupg2 packge, just like
the -openssl one.   We should probabl also have a -gnutls version.


If you or others can confirm that mozilla-rootcerts-openssl works with
pkgsrc-provided openssl on systems where pkgsrc uses pkgsrc openssl, I
can de-confuse MESSAGE (and we can leave more serious changes to post
freeze).