tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Does mozilla-rootcerts-openssl need to be unconditionally NOT_FOR_UNPRIVILEGED?

On 2020-03-10 14:53, Jonathan Perkin wrote:
* On 2020-03-10 at 19:24 GMT, Jason Bacon wrote:

On 2020-03-10 08:38, Denys Nykula wrote:
10 March 2020, 08:05:12 "Jason Bacon" <>:


I found that on Darwin, it installs and functions fine in an
unprivileged tree if I comment out NOT_FOR_UNPRIVILEGED.

It seems to me that the unprivileged install is only needed to install
in /etc, which only happens if using builtin openssl.

I think the patch below should allow installing in unprivileged mode:
Can confirm, I have an unprivileged Linux pkgsrc prefix where with such
patch the certs install fine and make curl work without -k.
I believe the need for this in R is also due to R's use of curl.

Perhaps security/mozilla-rootcerts-openssl should be a run dependency for
www/curl?  As ubiquitous as https is now, anyone using curl will probably
have to install mozilla-rootcerts-openssl anyway.
I forget what exactly the point of mozilla-rootcerts-openssl is, but
please don't add it as a dependency - for those of us happy to use the
mozilla-rootcerts by default, only the mozilla-rootcerts package
itself is required, along with a run of the install script.

All I can say at this point is mozilla-rootcerts by itself doesn't fix install.packages() in R.  I checked that before installing mozilla-rootcerts-openssl.

My main concern is other sysadmins trying out pkgsrc for the first time, discovering that basic tools like curl don't work, and not having the time or inclination to figure out why.

As I mentioned previously, I think simply providing the solution would be sufficient and maybe in some peoples' eyes even make pkgsrc look superior to other package managers that don't consider the security implications of installing certs automatically.


Home | Main Index | Thread Index | Old Index