Re: CVS commit: pkgsrc/security

[Greg Troxel <gdt%lexort.com@localhost>]

Kimmo Suominen <kim%netbsd.org@localhost> writes:

> Thank you for the feedback.

Thanks for listening!

> The key difference between ca-certificates and mozilla-rootcerts is
> that the former provides a framework for managing /etc/openssl/certs
> in a flexible manner: local certificates can be added, and
> installation of certificates from both ca-certificates and possible
> other packages that provide certificates is configurable by the
> sysadmin. The latter refuses to work with anything but an empty
> /etc/openssl/certs. And if I understand correctly,
> mozilla-rootcerts-openssl uses fixed filenames for installing in
> /etc/openssl/certs, which can result in conflicts with certificates
> from other sources.

That does sound like a big difference.  I think DESCR (of each package)
should have enough information about how it behaves so that people can
choose what they want to do.

It also sounds, if I followed, that if ca-certificates can manage
installation of the root set (which it does or doesn't include?), then
it is strictly more useful as the notion that one's CA list must be
identically mozillas is quite limiting.

I realize that we don't want a man page in DESCR; I am trying to suggest
that enough of a "you can do X but you cannot do Y" functional spec for
someone to make the decision to install and read the docs to figure out
how to do that.

> Using a README file sounds like a good idea. I just copied
> mozilla-rootcerts as a starting point, and it used MESSAGE for exactly
> the same information. I didn't think of changing it yesterday, but now
> I think both packages would benefit from using a README file instead.

If you are up for changing that, what would be great.  My sense is that
there are some that think MESSAGE is somewhat overused and some that
think it is massively overused and almost none that are big fans of it.