Re: mozilla rootcerts in base

To: Taylor R Campbell <riastradh%NetBSD.org@localhost>
Subject: Re: mozilla rootcerts in base
From: pin <voidpin%protonmail.com@localhost>
Date: Tue, 29 Aug 2023 09:25:15 +0000

------- Original Message -------
On Tuesday, August 29th, 2023 at 10:49 AM, Taylor R Campbell <riastradh%NetBSD.org@localhost> wrote:

> > Date: Tue, 29 Aug 2023 08:29:20 +0000
> > From: pin voidpin%protonmail.com@localhost
> > 
> > I can see the rootcerts are installed
> > ~ > ls /etc/openssl/
> > drwxr-xr-x root wheel 9.0 KB Tue Aug 29 09:56:03 2023  certs
> > .r--r--r-- root wheel 373 B Mon Aug 28 13:12:42 2023  certs.conf
> > drwxr-xr-x root wheel 512 B Mon Aug 28 13:12:42 2023  misc
> > drwx------ root wheel 512 B Mon Aug 28 13:12:42 2023  private
> 
> 
> yay (except I made a mistake with the permissions of certs.conf,
> should be 644, and should be fixed in HEAD now)

No problem, easy fix :)

~ > ls /etc/openssl/
drwxr-xr-x root wheel 9.0 KB Tue Aug 29 09:56:03 2023  certs
.rw-r--r-- root wheel 373 B  Mon Aug 28 13:12:42 2023  certs.conf
drwxr-xr-x root wheel 512 B  Mon Aug 28 13:12:42 2023  misc
drwx------ root wheel 512 B  Mon Aug 28 13:12:42 2023  private

> > So, I thought I could simply remove the mozilla-rootcerts package but, it's not that simple :(
> > 
> > ~ > pkgin rm mozilla-rootcerts
> > 23 packages to delete:
> 
> 
> Can you find out which ones depend directly on mozilla-rootcerts by
> querying `pkg_info mozilla-rootcerts'?

Yes, of course

~ > pkg_info mozilla-rootcerts
Information for mozilla-rootcerts-1.0.20230720:

Comment:
Root CA certificates from the Mozilla Project

Required by:
p11-kit-0.25.0
gnutls-3.8.1

Description:
This package provides the certificates distributed by the Mozilla
Project, with the exception of any certificates not globally trusted.

It also provides a script, mozilla-rootcerts, which can be used to
install the root CA certificates distributed by the Mozilla Project
into a location that makes them usable by TLS implementations, extract
them to the current working directory, or rehash the existing
certificates.

NB: This package provides certificates, but does not as a consequence
of installation place them in a location that makes them immediately
usable by SSL/TLS implementations.

Use the 'mozilla-rootcerts install' script or mozilla-rootcerts-openssl
package if you want to use these certificates.

This package includes instructions for configuring gnupg2 to use the
certificates.

Homepage:
https://hg.mozilla.org/mozilla-central/log/tip/security/nss/lib/ckfw/builtins/certdata.txt

> On the one hand, mozilla-rootcerts won't interfere with
> /etc/openssl/certs -- the package itself just provides data at
> $PREFIX/share/mozilla-rootcerts, and a command that if you run it
> will touch /etc/openssl/certs. So it's harmless to have it installed.
> (mozilla-rootcerts-openssl is a different story.)

I'm aware of the difference butt usually I do run the install script.
Hence, I've removed /etc/openssl altogether before upgrading.

/Pedro

References:
- Re: mozilla rootcerts in base
  - From: Taylor R Campbell

Prev by Date: Re: mozilla rootcerts in base
Next by Date: Re: sysutils/u-boot-tools package
Previous by Thread: Re: mozilla rootcerts in base
Next by Thread: Re: mozilla rootcerts in base
Indexes:

Home | Main Index | Thread Index | Old Index