Benny Siegert <bsiegert%gmail.com@localhost> writes: > +David Holland because he probably has opinions. > > On Fri, Nov 27, 2020 at 4:45 PM Ryo ONODERA <ryo%tetera.org@localhost> wrote: >> pkgsrc/security/mozilla-rootcerts/MESSAGE contains the following >> explanation. >> >> > Execute this command to extract and rehash all CA root certificates >> > distributed by the Mozilla Project, so that they can be used by third >> > party applications using OpenSSL. It also creates a single file >> > certificate bundle in PEM format which can be used by applications using >> > GnuTLS. >> > >> > # mozilla-rootcerts install > > I added this command. Before "mozilla-rootcerts install" existed, the > MESSAGE gave a list of a dozen steps to follow, which I converted into > a shell script. That script is and has been for a long time clearly referenced in DESCR. I see the purpose of DESCR as explaining what the package is and what it can do, pointing to packages that do things that one might expect to find in this package, as well as explaining what's current and what's old. I expect people to look at DESCR. But, given mozilla-rootcerts-openssl, I think DESCR should primarily point out that second package as I see the other package as the standard approach if you want things installed. > No one has ever fully explained to me why a separate > mozilla-rootcerts-openssl is needed. Installing mozilla-rootcerts and > running the command should be enough. It is enough in some sense, but by that logic no package is needed because the user can download the source for something and run configure, make, make install. The point of the mozilla-rootcerts-openssl package is to wrap the command behind the package abstraction. It lets people just put that in a list of packages, instead of having to run commands. Uninstalling that package should and I think does deconfigure the CAs; if not that's a bug. Whether anyone "needs" this is a philosophical question, but it seems a number of people do use it. I know you know this, but for others reading: It is a separate package because by policy we don't allow dependencies on packages that make config changes beyond the package itself.
Attachment:
signature.asc
Description: PGP signature