Re: Does mozilla-rootcerts-openssl need to be unconditionally NOT_FOR_UNPRIVILEGED?

To: Denys Nykula <nykula%ukr.net@localhost>, dholland%netbsd.org@localhost, tech-pkg <tech-pkg%netbsd.org@localhost>
Subject: Re: Does mozilla-rootcerts-openssl need to be unconditionally NOT_FOR_UNPRIVILEGED?
From: Jason Bacon <outpaddling%yahoo.com@localhost>
Date: Tue, 10 Mar 2020 15:40:23 -0500

On 2020-03-10 14:53, Jonathan Perkin wrote:

* On 2020-03-10 at 19:24 GMT, Jason Bacon wrote:

On 2020-03-10 08:38, Denys Nykula wrote:

10 March 2020, 08:05:12 "Jason Bacon" <outpaddling%yahoo.com@localhost>:

security/mozilla-rootcerts-openssl

I found that on Darwin, it installs and functions fine in an
unprivileged tree if I comment out NOT_FOR_UNPRIVILEGED.

It seems to me that the unprivileged install is only needed to install
in /etc, which only happens if using builtin openssl.

I think the patch below should allow installing in unprivileged mode:

Can confirm, I have an unprivileged Linux pkgsrc prefix where with such
patch the certs install fine and make curl work without -k.

I believe the need for this in R is also due to R's use of curl.

Perhaps security/mozilla-rootcerts-openssl should be a run dependency for
www/curl?  As ubiquitous as https is now, anyone using curl will probably
have to install mozilla-rootcerts-openssl anyway.

I forget what exactly the point of mozilla-rootcerts-openssl is, but
please don't add it as a dependency - for those of us happy to use the
mozilla-rootcerts by default, only the mozilla-rootcerts package
itself is required, along with a run of the install script.

All I can say at this point is mozilla-rootcerts by itself doesn't fixinstall.packages() in R. I checked that before installingmozilla-rootcerts-openssl.

My main concern is other sysadmins trying out pkgsrc for the first time,discovering that basic tools like curl don't work, and not having thetime or inclination to figure out why.

As I mentioned previously, I think simply providing the solution wouldbe sufficient and maybe in some peoples' eyes even make pkgsrc looksuperior to other package managers that don't consider the securityimplications of installing certs automatically.

JB

References:
- Does mozilla-rootcerts-openssl need to be unconditionally NOT_FOR_UNPRIVILEGED?
  - From: Jason Bacon
- Re: Does mozilla-rootcerts-openssl need to be unconditionally NOT_FOR_UNPRIVILEGED?
  - From: Denys Nykula
- Re: Does mozilla-rootcerts-openssl need to be unconditionally NOT_FOR_UNPRIVILEGED?
  - From: Jason Bacon
- Re: Does mozilla-rootcerts-openssl need to be unconditionally NOT_FOR_UNPRIVILEGED?
  - From: Jonathan Perkin

Prev by Date: Re: Does mozilla-rootcerts-openssl need to be unconditionally NOT_FOR_UNPRIVILEGED?
Next by Date: Re: Does mozilla-rootcerts-openssl need to be unconditionally NOT_FOR_UNPRIVILEGED?
Previous by Thread: Re: Does mozilla-rootcerts-openssl need to be unconditionally NOT_FOR_UNPRIVILEGED?
Next by Thread: Re: Does mozilla-rootcerts-openssl need to be unconditionally NOT_FOR_UNPRIVILEGED?
Indexes:

Home | Main Index | Thread Index | Old Index