tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: security/ca-certificates

Martin Husemann <> writes:

> On Thu, Jun 09, 2022 at 06:35:25PM -0400, Greg Troxel wrote:
>> We generally take the view that if there are N ways to do things in the
>> world we allow packaging of all of them.   This package isn't something
>> I want, but prohibiting it because somebody might use it when we think
>> they shouldn't is beyond our normal practice.
> This seems to be a (temporary) attempt to paper over a NetBSD base
> system issue that would better be solved there (as Kimmo mentioned).
> We should have the real discussion on some base system specific list, and
> maybe just leave the pkg alone untill consensus has been reached (besides
> improving DESCR)?
> Would be really cool to fix it in base before NetBSD 10.0.

Paper over isn't really the right word.

pkgsrc runs on N systems, for a very large number of N.  Some of those
base systems contain a configured set of trust anchors, and some don't.
It's always going to be like that, as some of the N are not maintained.

pkgsrc policy so far has been to respect the base system choice of
whether to pre-configure trust anchors or not.  That means not changing
things in /etc, and it also means that when pkgsrc installs openssl that
there aren't configured trust anchors from pkgsrc.

If NetBSD base changes policy, then these packages should become less
necessary for NetBSD (after the change), but they are still going to be
needed for some people on older NetBSD and on a number of other systems.

If you want to start discussion about changing policy in NetBSD base,
that's of course an ok discussion to have, and belongs someplace else.
(A discussion should involve a survey of existing practice of a number
of other systems and their lessons learned.)  That discussion happening
or not happening is orthogonal to what pkgsrc should be doing.  At most,
it would mean that NetBSD users post-change would not be interested in
installing these packages.

Attachment: signature.asc
Description: PGP signature

Home | Main Index | Thread Index | Old Index