Re: CVS commit: pkgsrc/security/mozilla-rootcerts

To: Jonathan Perkin <jperkin%joyent.com@localhost>
Subject: Re: CVS commit: pkgsrc/security/mozilla-rootcerts
From: Greg Troxel <gdt%lexort.com@localhost>
Date: Fri, 27 Mar 2020 12:37:45 -0400

Jonathan Perkin <jperkin%joyent.com@localhost> writes:

>> On one of your systems where openssl is provided by pkgsrc, does
>> mozilla-rootcerts-openssl work for you?
>
> It generally just breaks things.  We already ship everything
> configured using just mozilla-rootcerts and running the install
> script, so installing mozilla-rootcerts-openssl on top is at best a
> nop, but at worst just breaks everything.

So you are running something that is not exactly pkgsrc, it seems.

> Start with a default install, mozilla-rootcerts + install script,
> everything works great.
>
>   $ curl -I https://whatever/
>   HTTP/1.1 200 OK

OK

> Install the -openssl package now makes it take over management of
> those config files, so after install everything is still ok, but any
> attempt to remove the package breaks things:
>
>   $ pkg_add mozilla-rootcerts-openssl
>   $ curl -I https://whatever/
>   HTTP/1.1 200 OK

Good.  That's what I expected and I think we both think that's the right
outcome.  You are saying "takes over" but within the context of pkgsrc
the mozilla-rootcerts-openssl package is doing what it is documented to
do: to change the config of another package under etc which is
admittedly irregular.

>   $ pkg_delete mozilla-rootcerts-openssl
>   $ curl -I https://whatever/
>   curl: (60) SSL certificate problem: unable to get local issuer certificate

That isn't "breaking things".  The administrator explicitly asked to
remove the package that configures trust anchors, and so the trust
anchor configuration was removed.   To leave them installed would be a
bug.

What did you expect to happen?

> Even trying to re-install the certs now fails, because it managed to
> remove the certs directory completely:
>
>   $ mozilla-rootcerts install
>   ERROR: /opt/local/etc/openssl/certs does not exist, aborting.

Well that's a bug and we should fix it.  The directory was not created
by the package and should not be removed.  I'll have a look.

Did a simple mkdir and re-running then work?

> I don't want mozilla-rootcerts-openssl anywhere near my systems.  Even
> in a best case scenario where a user is installing it instead of just
> running the install script manually, there is still plenty that can go
> wrong (think of an upgrade scenario where something goes awry part way
> through and now their fetch and pkg_add commands are broken when
> trying to fix things).

That's your call of course.

I just updated DESCR to mention the script.   (The script needs a man
page and an argument to deconfigure what it configured.)

There are lots of perils here.  One example is NetBSD when upgrading
pkgsrc switches one to pkgsrc OpenSSL 1.1 from base OpenSSL 1.0.

On your systems, presumably SmartOS, is there openssl in the base
system, or are you using openssl from pkgsrc?   Does the openssl in base
have preconfigured trust anchors?

Follow-Ups:
- Re: CVS commit: pkgsrc/security/mozilla-rootcerts
  - From: Jonathan Perkin
- Re: CVS commit: pkgsrc/security/mozilla-rootcerts
  - From: Greg Troxel

References:
- CVS commit: pkgsrc/security/mozilla-rootcerts
  - From: Greg Troxel
- Re: CVS commit: pkgsrc/security/mozilla-rootcerts
  - From: Jonathan Perkin
- Re: CVS commit: pkgsrc/security/mozilla-rootcerts
  - From: Greg Troxel
- Re: CVS commit: pkgsrc/security/mozilla-rootcerts
  - From: Jonathan Perkin

Prev by Date: CVS commit: pkgsrc/security/mozilla-rootcerts
Next by Date: CVS commit: pkgsrc/devel/monotone
Previous by Thread: Re: CVS commit: pkgsrc/security/mozilla-rootcerts
Next by Thread: Re: CVS commit: pkgsrc/security/mozilla-rootcerts
Indexes:

Home | Main Index | Thread Index | Old Index