[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: [PATCH] www/curl certbundle and missing dep
On 11/15/20 3:03 PM, Greg Troxel wrote:
We had this discussion before and the consensus was that pulling in
certs as a dependency is not the pkgsrc way.
"Dr. Thomas Orgis" <thomas.orgis%uni-hamburg.de@localhost> writes:
Any reaction to the certbundle part?
I'm not entirely clear on this. In general, the entire subject of
configuring trust anchors is a bit messy. Typically, when a pkgsrc
program uses openssl, it ends up using that's openssl's trust anchor
So, it seems there is something more going on, and curl is not using the
default verifier, but is doing something more.
I don't understand SSLCERTBUNDLE; I don't find it in
I don't understand the "it is essential", as it seems the normal
approach is to have certs in SSLCERTS with the hash symlinks. If
someone has a bundle instead, and openssl by default reads that too,
that's fine -- but curl seems to be doing things its own way.
I also think it's incorrect to change behavior of a tool at run time
based on whether there was or was not a bundle present at configure
time, if that's what is going on. The buildtime system's trust anchor
configuaration is not really related to the runtime system's
Overall this problem seems like a symptom of curl not using the default verifier.
Can you explain what the problem is, and why you think this is the right
thing to do?
In response, I added a user prompt to auto-pkgsrc-setup briefly
explaining and offering to install mozilla-rootcerts.
There are some tools in pkgsrc where the default install won't work
without them, such as R's install.packages() now that CRAN is https
only. It works with curl from Yum but not from pkgsrc unless the certs
Main Index |
Thread Index |