tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: security/mozilla-rootcerts and mozilla-rootcerts-openssl

Benny Siegert <> writes:

> +David Holland because he probably has opinions.
> On Fri, Nov 27, 2020 at 4:45 PM Ryo ONODERA <> wrote:
>> pkgsrc/security/mozilla-rootcerts/MESSAGE contains the following
>> explanation.
>> > Execute this command to extract and rehash all CA root certificates
>> > distributed by the Mozilla Project, so that they can be used by third
>> > party applications using OpenSSL. It also creates a single file
>> > certificate bundle in PEM format which can be used by applications using
>> > GnuTLS.
>> >
>> >        # mozilla-rootcerts install
> I added this command. Before "mozilla-rootcerts install" existed, the
> MESSAGE gave a list of a dozen steps to follow, which I converted into
> a shell script.

That script is and has been for a long time clearly referenced in DESCR.
I see the purpose of DESCR as explaining what the package is and what it
can do, pointing to packages that do things that one might expect to
find in this package, as well as explaining what's current and what's
old.  I expect people to look at DESCR.  But, given
mozilla-rootcerts-openssl, I think DESCR should primarily point out that
second package as I see the other package as the standard approach if
you want things installed.

> No one has ever fully explained to me why a separate
> mozilla-rootcerts-openssl is needed. Installing mozilla-rootcerts and
> running the command should be enough.

It is enough in some sense, but by that logic no package is needed
because the user can download the source for something and run
configure, make, make install.

The point of the mozilla-rootcerts-openssl package is to wrap the
command behind the package abstraction.  It lets people just put that in
a list of packages, instead of having to run commands.  Uninstalling
that package should and I think does deconfigure the CAs; if not that's
a bug.  Whether anyone "needs" this is a philosophical question, but it
seems a number of people do use it.

I know you know this, but for others reading: It is a separate package
because by policy we don't allow dependencies on packages that make
config changes beyond the package itself.

Attachment: signature.asc
Description: PGP signature

Home | Main Index | Thread Index | Old Index