tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: [PATCH] www/curl certbundle and missing dep



On 11/15/20 3:03 PM, Greg Troxel wrote:
"Dr. Thomas Orgis" <thomas.orgis%uni-hamburg.de@localhost> writes:

Any reaction to the certbundle part?
I'm not entirely clear on this.  In general, the entire subject of
configuring trust anchors is a bit messy.  Typically, when a pkgsrc
program uses openssl, it ends up using that's openssl's trust anchor
configuration.

So, it seems there is something more going on, and curl is not using the
default verifier, but is doing something more.

I don't understand SSLCERTBUNDLE; I don't find it in
security/openssl/builtin.mk.

I don't understand the "it is essential", as it seems the normal
approach is to have certs in SSLCERTS with the hash symlinks.   If
someone has a bundle instead, and openssl by default reads that too,
that's fine -- but curl seems to be doing things its own way.

I also think it's incorrect to change behavior of a tool at run time
based on whether there was or was not a bundle present at configure
time, if that's what is going on.  The buildtime system's trust anchor
configuaration is not really related to the runtime system's
configuration.

Overall this problem seems like a symptom of curl not using the default verifier.


Can you explain what the problem is, and why you think this is the right
thing to do?

We had this discussion before and the consensus was that pulling in certs as a dependency is not the pkgsrc way.

In response, I added a user prompt to auto-pkgsrc-setup briefly explaining and offering to install mozilla-rootcerts.

There are some tools in pkgsrc where the default install won't work without them, such as R's install.packages() now that CRAN is https only.  It works with curl from Yum but not from pkgsrc unless the certs are installed.

    JB



Home | Main Index | Thread Index | Old Index