Re: security/mozilla-rootcerts and mozilla-rootcerts-openssl

To: tech-pkg <tech-pkg%netbsd.org@localhost>
Subject: Re: security/mozilla-rootcerts and mozilla-rootcerts-openssl
From: David Holland <dholland-pkgtech%netbsd.org@localhost>
Date: Sun, 29 Nov 2020 00:07:47 +0000

On Fri, Nov 27, 2020 at 11:30:11AM -0500, Greg Troxel wrote:
 > The point of the mozilla-rootcerts-openssl package is to wrap the
 > command behind the package abstraction.  It lets people just put that in
 > a list of packages, instead of having to run commands.  Uninstalling
 > that package should and I think does deconfigure the CAs; if not that's
 > a bug.  Whether anyone "needs" this is a philosophical question, but it
 > seems a number of people do use it.

Yes. In particular, a large part of the point is: the script spews a
gazillion certs into your openssl config. It works this way because
it has to; openssl's config scheme leaves a fair amount to be
desired.

With the package, you can remove them again with confidence using
pkg_delete.

Without, it's at best tedious to clean them out and dangerous if you
miss one, especially if you miss one that got removed by an update.

-- 
David A. Holland
dholland%netbsd.org@localhost

References:
- security/mozilla-rootcerts and mozilla-rootcerts-openssl
  - From: Ryo ONODERA
- Re: security/mozilla-rootcerts and mozilla-rootcerts-openssl
  - From: Benny Siegert
- Re: security/mozilla-rootcerts and mozilla-rootcerts-openssl
  - From: Greg Troxel

Prev by Date: daily pkgsrc CVS update output
Next by Date: daily pkgsrc CVS update output
Previous by Thread: Re: security/mozilla-rootcerts and mozilla-rootcerts-openssl
Next by Thread: Re: security/mozilla-rootcerts and mozilla-rootcerts-openssl
Indexes:

Home | Main Index | Thread Index | Old Index