tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Does mozilla-rootcerts-openssl need to be unconditionally NOT_FOR_UNPRIVILEGED?

On 4/3/21 8:33 AM, Greg Troxel wrote:
Jason Bacon <> writes:

I like the idea of a trust anchors variable in mk.conf.  Whenever
there's good reason to have different views, let the end-user decide.
I would add a question to auto-pkgsrc-setup so the issue is dealt with
during setup as the user sees fit.
I think it's reasonable in concept for pkgsrc to configure pkgsrc
openssl to somehow adopt the trust anchors of the base system.  But,
that's pretty tricky since one might expect it to track, and that might
mean making etc/openssl/certs a symlink, and that seems likely to have
unintended consequences.

So I think where I am is that I'm willing to review a concrete proposal
to do something, but I'm not sure how I'll respond once I see the
discussion of the edge cases, and I also don't expect an easy consensus.

(I do expect to quickly say that any proposal doesn't explain well
enough what happens in various situations, and to keep being difficult
like that until it's understood and only then address the issue on its
merits.  I expect this to be pretty difficult, and as it solves a
problem I don't have, am not eager to work on it.)
I'm not driven to push this issue either, but since others have brought it up independently I thought it was worth following up.

Currently my auto-pkgsrc-setup script ( describes the issue and offers to install mozilla-rootcerts*, which is good enough for me.  My only concern is for people unaware of the pkgsrc curl issue who are running bootstrap manually, but they're likely sharp enough to find a solution on their own.



Home | Main Index | Thread Index | Old Index