Re: mozilla rootcerts in base

[Taylor R Campbell <riastradh%NetBSD.org@localhost>]

> Date: Tue, 29 Aug 2023 08:29:20 +0000
> From: pin <voidpin%protonmail.com@localhost>
> 
> I can see the rootcerts are installed
> ~ > ls /etc/openssl/
> drwxr-xr-x root wheel 9.0 KB Tue Aug 29 09:56:03 2023  certs
> .r--r--r-- root wheel 373 B  Mon Aug 28 13:12:42 2023  certs.conf
> drwxr-xr-x root wheel 512 B  Mon Aug 28 13:12:42 2023  misc
> drwx------ root wheel 512 B  Mon Aug 28 13:12:42 2023  private

yay (except I made a mistake with the permissions of certs.conf,
should be 644, and should be fixed in HEAD now)

> So, I thought I could simply remove the mozilla-rootcerts package but, it's not that simple :(
> 
> ~ > pkgin rm mozilla-rootcerts
> 23 packages to delete:

Can you find out which ones depend directly on mozilla-rootcerts by
querying `pkg_info mozilla-rootcerts'?

On the one hand, mozilla-rootcerts won't interfere with
/etc/openssl/certs -- the package itself just provides data at
$PREFIX/share/mozilla-rootcerts, and a command that _if you run it_
will touch /etc/openssl/certs.  So it's harmless to have it installed.
(mozilla-rootcerts-openssl is a different story.)

On the other hand, generally I think it is a mistake for packages to
depend on this and to look in $PREFIX/share/mozilla-rootcerts directly
instead of in /etc/openssl/certs.  So while there is a usability
argument for depending on mozilla-rootcerts, maybe we should start
making those dependencies conditional on NetBSD<=9 or start removing
them altogether.

Once we remove those dependencies in NetBSD>=10, and you update your
packages, you should be able to delete mozilla-rootcerts just fine.