Re: security/ca-certificates

[Kimmo Suominen <kim%netbsd.org@localhost>]

I respectfully object to removing ca-certificates, as it is the only
available package for managing certificates on NetBSD for the system
OpenSSL in a way that allows using multiple sources, including local
CAs.

On Wed, 8 Jun 2022 at 09:24, nia <nia%netbsd.org@localhost> wrote:
>
> I would like to request that security/ca-certificates be removed
> pending further discussion.
>
> Reasons:
>
> - It's dirty and attempts to modify files outside of the pkgsrc
> $PREFIX. This isn't standard behaviour and I don't think it's
> something we should encourage.

While I agree that writing outside of $PREFIX is generally
undesirable, it is the only possible approach for configuring
certificates for the native OpenSSL on NetBSD. For example,
security/mozilla-rootcerts-openssl also does that.

I don't understand what "dirty" means here. If it is important, it
would be good to elaborate.

> - It has a name that's "too obvious" for users coming from Linux.
>   People install it because it's similar to what they're used to
>   on Debian, not knowing that the standard method with pkgsrc is
>   something difficult.

I wish that the standard method with pkgsrc was not something difficult.

If I had more time available, I would actually like to work towards
including ca-certificates in base. I think it is a rather elegant
approach for solving the problem of managing multiple sources of
certificates in an end-user configurable manner.

Kind regards,
+ Kimmo

> - We didn't have any discussion about changing the way certificates
>   are installed in pkgsrc at any point in the last two years.
>   I really should have brought it up at the time, but the last
>   two years have made fools of us all ;)
>
> I think ca-certificates should not have been imported without
> discussion.