Re: mozilla-rootcerts-openssl

[Tobias Nygren <tnn%NetBSD.org@localhost>]

On Mon, 23 Mar 2015 06:09:34 +0000
David Holland <dholland-pkgtech%netbsd.org@localhost> wrote:

> Being tired of the way mozilla-rootcerts works (the point of having
> packages is so that if you get a bajillion files blatted somewhere the
> package manager can clean them up or update them afterwards...) I have
> concocted the following hack to directly manage the cert files that it
> spews.
> 
> This requires a small straightforward patch to mozilla-rootcerts so
> that its script accepts the -d destdir option.
> 
> It appears that openssl does not support more than one directory of
> certs (sheesh) which is I guess how mozilla-rootcerts ended up the way
> it is; anyway, the result is that this is an abusive package that
> installs the files directly into etc/openssl/certs, and for native
> openssl it's an especially abusive package because this is outside
> $PREFIX.
> 
> Nonetheless it's better than not having it.
> 
> Comments?

This is useful, I like it. But I have a feature request if I may be so
bold: I could really use support for local addon CAs in this package.
Like if I have an internal root CA I'd like to be able to drop it's .pem
file in FILESDIR and have it installed and managed in the same way.

-Tobias