Re: CVS commit: pkgsrc/security/mozilla-rootcerts

[Jonathan Perkin <jperkin%joyent.com@localhost>]

* On 2020-03-27 at 16:37 GMT, Greg Troxel wrote:

> Jonathan Perkin <jperkin%joyent.com@localhost> writes:
> 
> >> On one of your systems where openssl is provided by pkgsrc, does
> >> mozilla-rootcerts-openssl work for you?
> >
> > It generally just breaks things.  We already ship everything
> > configured using just mozilla-rootcerts and running the install
> > script, so installing mozilla-rootcerts-openssl on top is at best a
> > nop, but at worst just breaks everything.
> 
> So you are running something that is not exactly pkgsrc, it seems.

What do you mean?  It is entirely pkgsrc.

> >   $ pkg_delete mozilla-rootcerts-openssl
> >   $ curl -I https://whatever/
> >   curl: (60) SSL certificate problem: unable to get local issuer certificate
> 
> That isn't "breaking things".  The administrator explicitly asked to
> remove the package that configures trust anchors, and so the trust
> anchor configuration was removed.   To leave them installed would be a
> bug.

In this case yes, I explicitly uninstalled it.  I'm talking about
situations where the package might be upgraded, either from source or
binary, where the package will be removed before a newer one is
installed.  During that period, which may be a long time if there is
some issue with the upgrade, the user has now lost the ability to
reliably download over HTTPS, which may be necessary for them to
repair the situation.

> What did you expect to happen?

I don't expect packages in pkgsrc to be removing files from my
PKG_SYSCONFDIR that I have placed there.  It's completely against our
policies and unlike all other packages.  Yes, I understand this is a
"special" package, but users shouldn't have to be aware of special
packages, they should just not have to put up with breakage.

> > Even trying to re-install the certs now fails, because it managed to
> > remove the certs directory completely:
> >
> >   $ mozilla-rootcerts install
> >   ERROR: /opt/local/etc/openssl/certs does not exist, aborting.
> 
> Well that's a bug and we should fix it.  The directory was not created
> by the package and should not be removed.  I'll have a look.
> 
> Did a simple mkdir and re-running then work?

Yes.

> > I don't want mozilla-rootcerts-openssl anywhere near my systems.  Even
> > in a best case scenario where a user is installing it instead of just
> > running the install script manually, there is still plenty that can go
> > wrong (think of an upgrade scenario where something goes awry part way
> > through and now their fetch and pkg_add commands are broken when
> > trying to fix things).
> 
> That's your call of course.

Sure, and that's what we do, but I need to be explicit here about why
the -openssl package can be dangerous.  Not very long ago there was a
proposal on tech-pkg@ that it should be made a mandatory DEPENDS, and
I'm simply making sure people are aware that the -openssl package is
entirely superfluous on systems using pkgsrc openssl at best, and
actively dangerous at worst.

Again, I would be much more comfortable if the -openssl package was
only recommended when using native openssl.  I see zero benefits for
it to be used on pkgsrc openssl systems, only drawbacks, and it
clearly causes confusion for people as this thread demonstrates.

> On your systems, presumably SmartOS, is there openssl in the base
> system, or are you using openssl from pkgsrc?   Does the openssl in base
> have preconfigured trust anchors?

There is a base openssl but it is hidden and only used by some of the
base programs.  It has no trust anchors.  All of the software that
regular users execute is provided by pkgsrc, which uses pkgsrc
openssl, which uses the trust anchors installed by mozilla-rootcerts.

-- 
Jonathan Perkin  -  Joyent, Inc.  -  www.joyent.com