Re: How to handle updates to mozilla-rootcerts?

[Greg Troxel <gdt%lexort.com@localhost>]

Joerg Sonnenberger <joerg%bec.de@localhost> writes:

> On Thu, Apr 19, 2018 at 09:57:31AM +0200, Martin Husemann wrote:
>> On Thu, Apr 19, 2018 at 07:24:48AM +0100, Jonathan Perkin wrote:
>> > Could someone explain why this isn't ok?  I'll admit I don't really
>> > understand why people have issues with this.
>> 
>> This has strange side effects when you do not build in a chroot and don't
>> intend to install the resulting binary pkgs on the build machine.
>
> I don't understand. Building the package should not modify the system.
> If it does, the package is broken. Since destdir has been the default,
> packages are not just installed as part of building them.

Agreed in theory, but the mozilla rootcerts package has code to find the
system openssl config and change it at install time, and it seems that
various packages have it as a build dependency.  This is perhaps just a
special case of your general assertion that packages should not modify
the system by being installed, and certainly not outside of PREFIX.
While my discomfort is about security, the general concern you raise is
entirely valid.