[pkgsrc/trunk]: pkgsrc/security/mozilla-rootcerts-openssl mozilla-rootcerts-o...

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/security/mozilla-rootcerts-openssl mozilla-rootcerts-o...
From: gdt <gdt%pkgsrc.org@localhost>
Date: Mon, 06 Apr 2020 13:24:30 +0000

details:   https://anonhg.NetBSD.org/pkgsrc/rev/c2eb8653dcf4
branches:  trunk
changeset: 426179:c2eb8653dcf4
user:      gdt <gdt%pkgsrc.org@localhost>
date:      Fri Mar 27 13:42:53 2020 +0000

description:
mozilla-rootcerts-openssl: Revise and extend DESCR

Explain the purpose, and then explain the mechanism and why it is
somewhat and very irregular in the pkgsrc and native cases.

Point to mozilla-rootcerts as providing certificates without
configuring them as trust anchors.

diffstat:

 security/mozilla-rootcerts-openssl/DESCR |  23 +++++++++++++++++------
 1 files changed, 17 insertions(+), 6 deletions(-)

diffs (29 lines):

diff -r d6b0231cad29 -r c2eb8653dcf4 security/mozilla-rootcerts-openssl/DESCR
--- a/security/mozilla-rootcerts-openssl/DESCR  Fri Mar 27 13:33:08 2020 +0000
+++ b/security/mozilla-rootcerts-openssl/DESCR  Fri Mar 27 13:42:53 2020 +0000
@@ -1,7 +1,18 @@
-This is a hack for managing the certificate files installed into
-the OpenSSL certs directory by the mozilla-rootcerts package.
+This package configures the Mozilla rootcerts bundle CAs as trust
+anchors in OpenSSL, so that programs using OpenSSL will be able to use
+them to validate SSL certificates.
+
+For pkgsrc-provided OpenSSL, this package operates modifies
+${PREFIX}/etc/ssl/certs as installed by another package.  This is
+somewhat irregular as packages should not modify content under etc.
 
-For native OpenSSL it operates directly in /etc/ssl/certs (because it
-has to) and not under the pkgsrc prefix, and even for pkgsrc OpenSSL
-it still scribbles in $PREFIX/etc/ssl/certs where packages normally
-shouldn't. Be advised.
+For native OpenSSL, it modifies the base system OpenSSL certificate
+directory, e.g. /etc/openssl/certs or /etc/ssl/certs.  This is
+necessary to configure trust anchors for native OpenSSL, so that
+progams in pkgsrc can use these CA certs in validation.  Modification
+of /etc is very irregular as pkgsrc should not write anything outside
+of ${PREFIX}.
+
+See also the mozilla-rootcerts package (which this one depends on) for
+placing the Mozilla CA list in the filesystem but not configuring it
+into OpenSSL.
\ No newline at end of file

Prev by Date: [pkgsrc/trunk]: pkgsrc/textproc/pugixml pugixml: Doesn't need gmake
Next by Date: [pkgsrc/trunk]: pkgsrc/security/mozilla-rootcerts mozilla-rootcerts: Extend D...
Previous by Thread: [pkgsrc/trunk]: pkgsrc/textproc/pugixml pugixml: Doesn't need gmake
Next by Thread: [pkgsrc/trunk]: pkgsrc/security/mozilla-rootcerts mozilla-rootcerts: Extend D...
Indexes:

Home | Main Index | Thread Index | Old Index