On 24/04/2018 16:06, Joerg Sonnenberger wrote:
I have to agree with this. As an end user I just want to install a package and get a set of https certificates that are classed as trusted by both the system applications and packages. I'd agree that installing such certificates as a build dependency is a wrong but there should at leat be some simple documentation somewhere which says install this package to install the mozilla root certs (or whatever set is deemed trusted) to the system root certificate store. That package can be stand alone and not be depended on by anything as long as the documentation makes it EASY to find.On Mon, Apr 23, 2018 at 08:39:26PM -0400, Greg Troxel wrote:But, NetBSD the base system has made the choice not to do that. This is not fundamentally different from "sshd should be listening by default and allow root logins without a password, because its convenient" (but a huge difference in degree, I realize).It's more a case of certain people bike shedding the topic to death and the lack of a working mechanism for actually updating the certificates. Frankly, the status quo of the base system is just broken. It is not just inconvenient, but outright broken.
Up until this discussion occurred I wasn't even aware that the mozilla-rootcerts package didn't do that as when you install a block of packages in bulk using pkgin its impossible to read all the MESSAGES that get output.
The FreeBSD port/pkg experience is a lot less painful. Usually all you have to do to get something working is edit a config file and set the variable in rc.conf if its a daemon. No copying files from usr/share/examples to /etc/rc.d or running manual install scripts to get things working.
Its also streets ahead in binary package updates. Two big areas where FreeBSD's pkg works better than pkgin is: 1. OS version update. It has a command to just forcibly re-install all packages. Only way I see to do this in pkgin is to remove everything and manually re-install and hope that my packages needed list is accurate and up to date.
2. package upgrades (libraries) as it also re-installs packages that depend on those libraries. Its common with pkgin for a library to change and something that depends on that library to break as the soname has changed. Recent examples were mencoder (broken when mplayer-core updated). And emacs which broken when the otf library was upgraded under it. I know the pkgsrc team try to update the nb patchlevel for this but thats a thankless task for libraries that lots of packages depend on.
Mike