Re: mozilla-rootcerts-openssl

[David Holland <dholland-pkgtech%netbsd.org@localhost>]

On Mon, Mar 23, 2015 at 07:28:11AM +0100, Tobias Nygren wrote:
 > > Being tired of the way mozilla-rootcerts works (the point of having
 > > packages is so that if you get a bajillion files blatted somewhere the
 > > package manager can clean them up or update them afterwards...) I have
 > > concocted the following hack to directly manage the cert files that it
 > > spews.
 > > 
 > > This requires a small straightforward patch to mozilla-rootcerts so
 > > that its script accepts the -d destdir option.
 > > 
 > > It appears that openssl does not support more than one directory of
 > > certs (sheesh) which is I guess how mozilla-rootcerts ended up the way
 > > it is; anyway, the result is that this is an abusive package that
 > > installs the files directly into etc/openssl/certs, and for native
 > > openssl it's an especially abusive package because this is outside
 > > $PREFIX.
 > > 
 > > Nonetheless it's better than not having it.
 > > 
 > > Comments?
 > 
 > This is useful, I like it. But I have a feature request if I may be so
 > bold: I could really use support for local addon CAs in this package.
 > Like if I have an internal root CA I'd like to be able to drop it's .pem
 > file in FILESDIR and have it installed and managed in the same way.

ISTM (at least offhand) that can/should be a separate package. It
would need another copy of the logic for using /etc, but that can
probably be moved into a shared file somewhere if there's demand.
(e.g. security/openssl/certdata.mk)

well, hrm, there's also the hashing bit.

I dunno, I'm not really up on this stuff; this is the first time I've
really looked at how openssl deals with certs and key management and
it seems like a trainwreck.

-- 
David A. Holland
dholland%netbsd.org@localhost