Re: CVS commit: pkgsrc/security/mozilla-rootcerts

To: Greg Troxel <gdt%lexort.com@localhost>
Subject: Re: CVS commit: pkgsrc/security/mozilla-rootcerts
From: Jonathan Perkin <jperkin%joyent.com@localhost>
Date: Fri, 27 Mar 2020 14:27:30 +0000

* On 2020-03-27 at 14:01 GMT, Greg Troxel wrote:

> Jonathan Perkin <jperkin%joyent.com@localhost> writes:
> 
> > * On 2020-03-27 at 13:33 GMT, Greg Troxel wrote:
> >
> >> Module Name:       pkgsrc
> >> Committed By:      gdt
> >> Date:              Fri Mar 27 13:33:08 UTC 2020
> >> 
> >> Modified Files:
> >>    pkgsrc/security/mozilla-rootcerts: DESCR
> >> 
> >> Log Message:
> >> mozilla-rootcerts: Extend DESCR
> >> 
> >> Make it clear that this package does not configure certificates as
> >> trust anchors.
> >> 
> >> Point to mozilla-rootcerts-openssl for actual installation.
> >
> > I'm not sure this makes things any clearer.  I'm still not fully clear
> > on what exactly mozilla-rootcerts-openssl is for, I think it's only
> > useful for the case where a user is using builtin openssl?
> 
> I used it to configure trust anchors into pkgsrc openssl, on a sytem
> where pkgsrc chose pkgsrc openssl (because base was too old).
> 
> On one of your systems where openssl is provided by pkgsrc, does
> mozilla-rootcerts-openssl work for you?

It generally just breaks things.  We already ship everything
configured using just mozilla-rootcerts and running the install
script, so installing mozilla-rootcerts-openssl on top is at best a
nop, but at worst just breaks everything.

Start with a default install, mozilla-rootcerts + install script,
everything works great.

  $ curl -I https://whatever/
  HTTP/1.1 200 OK

Install the -openssl package now makes it take over management of
those config files, so after install everything is still ok, but any
attempt to remove the package breaks things:

  $ pkg_add mozilla-rootcerts-openssl
  $ curl -I https://whatever/
  HTTP/1.1 200 OK

  $ pkg_delete mozilla-rootcerts-openssl
  $ curl -I https://whatever/
  curl: (60) SSL certificate problem: unable to get local issuer certificate

Even trying to re-install the certs now fails, because it managed to
remove the certs directory completely:

  $ mozilla-rootcerts install
  ERROR: /opt/local/etc/openssl/certs does not exist, aborting.

I don't want mozilla-rootcerts-openssl anywhere near my systems.  Even
in a best case scenario where a user is installing it instead of just
running the install script manually, there is still plenty that can go
wrong (think of an upgrade scenario where something goes awry part way
through and now their fetch and pkg_add commands are broken when
trying to fix things).

-- 
Jonathan Perkin  -  Joyent, Inc.  -  www.joyent.com

Follow-Ups:
- Re: CVS commit: pkgsrc/security/mozilla-rootcerts
  - From: Greg Troxel

References:
- CVS commit: pkgsrc/security/mozilla-rootcerts
  - From: Greg Troxel
- Re: CVS commit: pkgsrc/security/mozilla-rootcerts
  - From: Jonathan Perkin
- Re: CVS commit: pkgsrc/security/mozilla-rootcerts
  - From: Greg Troxel

Prev by Date: Re: CVS commit: pkgsrc/security/mozilla-rootcerts
Next by Date: CVS commit: pkgsrc/lang/japhar
Previous by Thread: Re: CVS commit: pkgsrc/security/mozilla-rootcerts
Next by Thread: Re: CVS commit: pkgsrc/security/mozilla-rootcerts
Indexes:

Home | Main Index | Thread Index | Old Index