Re: new certificate stuff

To: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
Subject: Re: new certificate stuff
From: Greg Troxel <gdt%lexort.com@localhost>
Date: Mon, 28 Aug 2023 06:30:05 -0400

Manuel Bouyer <bouyer%antioche.eu.org@localhost> writes:

>> The etc.tgz set, however, will have /etc/openssl/certs.conf.  So if
>> you naively unpack etc.tgz, `postinstall fix' will clobber your
>> /etc/openssl/certs directory.
>
> As it will clobber others /etc/ files, so that's fine.

Maybe this is too much, but perhaps certctl should look for a .certctl
in /etc/openssl/certs and only if present rm/replace.  Or really only
limit the rm; adding to an empty dir is fine.   Basically a token that
says the dir is under the control of certctl.  -f can override the
check and write the token.

I know this sounds like extra work, but the lesson I took from the pkgdb
change is that things like that this are at least 10x harder than you
think.

Also people will have to uninstall mozilla-rootcerts-openssl.

Follow-Ups:
- Re: new certificate stuff
  - From: Taylor R Campbell

References:
- Re: new certificate stuff
  - From: Manuel Bouyer
- Re: new certificate stuff
  - From: Taylor R Campbell
- Re: new certificate stuff
  - From: Manuel Bouyer

Prev by Date: Re: new certificate stuff
Next by Date: Re: new certificate stuff
Previous by Thread: Re: new certificate stuff
Next by Thread: Re: new certificate stuff
Indexes:

Home | Main Index | Thread Index | Old Index