pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: How to handle updates to mozilla-rootcerts?




On 24/04/2018 16:06, Joerg Sonnenberger wrote:
On Mon, Apr 23, 2018 at 08:39:26PM -0400, Greg Troxel wrote:
But, NetBSD the base system has made the choice not to do that.  This is
not fundamentally different from "sshd should be listening by default
and allow root logins without a password, because its convenient" (but a
huge difference in degree, I realize).
It's more a case of certain people bike shedding the topic to death and
the lack of a working mechanism for actually updating the certificates.
Frankly, the status quo of the base system is just broken. It is not
just inconvenient, but outright broken.

I have to agree with this. As an end user I just want to install a package and get a set of https certificates that are classed as trusted by both the system applications and packages. I'd agree that installing such certificates as a build dependency is a wrong but there should at leat be some simple documentation somewhere which says install this package to install the mozilla root certs (or whatever set is deemed trusted) to the system root certificate store. That package can be stand alone and not be depended on by anything as long as the documentation makes it EASY to find.
Up until this discussion occurred I wasn't even aware that the 
mozilla-rootcerts package didn't do that as when you install a block of 
packages in bulk using pkgin its impossible to read all the MESSAGES 
that get output.
The FreeBSD port/pkg experience is a lot less painful. Usually all you 
have to do to get something working is edit a config file and set the 
variable in rc.conf if its a daemon. No copying files from 
usr/share/examples to /etc/rc.d or running manual install scripts to get 
things working.
Its also streets ahead in binary package updates. Two big areas where 
FreeBSD's pkg works better than pkgin is:
1. OS version update. It has a command to just forcibly re-install all 
packages. Only way I see to do this in pkgin is to remove everything and 
manually re-install and hope that my packages needed list is accurate 
and up to date.
2. package upgrades (libraries) as it also re-installs packages that 
depend on those libraries. Its common with pkgin for a library to change 
and something that depends on that library to break as the soname has 
changed. Recent examples were mencoder (broken when mplayer-core 
updated). And emacs which broken when the otf library was upgraded under 
it. I know the pkgsrc team try to update the nb patchlevel for this but 
thats a thankless task for libraries that lots of packages depend on.
Mike


Home | Main Index | Thread Index | Old Index