Re: CVS commit: pkgsrc/security/mozilla-rootcerts

[Greg Troxel <gdt%lexort.com@localhost>]

Leonardo Taccari <leot%NetBSD.org@localhost> writes:

> Greg Troxel writes:
>> [...]
>> I think we should delete MESSAGE then (not right now).  The bit about
>> gnupg belongs as documentation, not MESSAGE, because it is mere
>> configuration information and not execptional.  More importantly, the
>> code should be hoisted into a mozilla-rootcerts-gnupg2 packge, just like
>> the -openssl one.   We should probabl also have a -gnutls version.
>> [...]
>
> At the moment gnutls hardcodes the default trust store and explicitly
> depends on mozilla-rootcerts (yes, probably that's a bug but not
> passing `--with-default-trust-store-file=' configure argument leads to
> a gnutls package that honors possible trust store in
> not-completely-predictable way depending on the configure logic
> auto-guessing).
>
> What a mozilla-rootcerts-gnutls should do/provide?

Given what you said, there is no need.  I had no idea how gnutls worked.

> On the other hand, if there are other CAs collection and someone is
> interested a generic "rootcerts" meta-package could be interesting to
> permit the user to select their favourite rootcerts (maybe similar to
> what is done for ghostscript).

That's a huge can of worms!  The realistic issue is choosing a subset of
mozilla.   I would prefer to keep this separate from dealing with
mozilla for now, but if whatever is clean and nonconfusing I don't
object.