pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/security/mozilla-rootcerts-openssl mozilla-rootcerts-o...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/32d184a3df4b
branches:  trunk
changeset: 414438:32d184a3df4b
user:      gdt <gdt%pkgsrc.org@localhost>
date:      Fri Mar 27 13:42:53 2020 +0000

description:
mozilla-rootcerts-openssl: Revise and extend DESCR

Explain the purpose, and then explain the mechanism and why it is
somewhat and very irregular in the pkgsrc and native cases.

Point to mozilla-rootcerts as providing certificates without
configuring them as trust anchors.

diffstat:

 security/mozilla-rootcerts-openssl/DESCR |  23 +++++++++++++++++------
 1 files changed, 17 insertions(+), 6 deletions(-)

diffs (29 lines):

diff -r a0e74305266b -r 32d184a3df4b security/mozilla-rootcerts-openssl/DESCR
--- a/security/mozilla-rootcerts-openssl/DESCR  Fri Mar 27 13:33:08 2020 +0000
+++ b/security/mozilla-rootcerts-openssl/DESCR  Fri Mar 27 13:42:53 2020 +0000
@@ -1,7 +1,18 @@
-This is a hack for managing the certificate files installed into
-the OpenSSL certs directory by the mozilla-rootcerts package.
+This package configures the Mozilla rootcerts bundle CAs as trust
+anchors in OpenSSL, so that programs using OpenSSL will be able to use
+them to validate SSL certificates.
+
+For pkgsrc-provided OpenSSL, this package operates modifies
+${PREFIX}/etc/ssl/certs as installed by another package.  This is
+somewhat irregular as packages should not modify content under etc.
 
-For native OpenSSL it operates directly in /etc/ssl/certs (because it
-has to) and not under the pkgsrc prefix, and even for pkgsrc OpenSSL
-it still scribbles in $PREFIX/etc/ssl/certs where packages normally
-shouldn't. Be advised.
+For native OpenSSL, it modifies the base system OpenSSL certificate
+directory, e.g. /etc/openssl/certs or /etc/ssl/certs.  This is
+necessary to configure trust anchors for native OpenSSL, so that
+progams in pkgsrc can use these CA certs in validation.  Modification
+of /etc is very irregular as pkgsrc should not write anything outside
+of ${PREFIX}.
+
+See also the mozilla-rootcerts package (which this one depends on) for
+placing the Mozilla CA list in the filesystem but not configuring it
+into OpenSSL.
\ No newline at end of file



Home | Main Index | Thread Index | Old Index