Re: new certificate stuff

[Taylor R Campbell <riastradh%NetBSD.org@localhost>]

> Date: Sun, 3 Sep 2023 12:21:23 -0700 (PDT)
> From: Paul Goyette <paul%whooppee.com@localhost>
> 
> If I migrate to this new world order (ie, I delete existing package
> and clean out the /etc/openssl/certs directory), what happens to any
> packages that currently depend on mozilla-rootcerts?  Will they
> somehow magically not need to install the mozilla-rootcerts package?

Packages that merely depend on mozilla-rootcerts are unaffected.  You
don't need to delete mozilla-rootcerts.  It can remain installed.  The
same applies to ca-certificates.  After you delete /etc/openssl/certs
and run postinstall:

- Packages that look to /etc/openssl/certs for trust anchors will
  begin to see the base ones, not the mozilla-rootcerts package ones.

- Packages that look to $LOCALBASE/share/mozilla-rootcerts for trust
  anchors will continue to see the mozilla-rootcerts package ones.

We'll eventually fix most or all of the packages in the second group
to stop looking to $LOCALBASE/share/mozilla-rootcerts and to instead
look to /etc/openssl/certs on NetBSD, /etc/ssl/certs on FreeBSD,
/etc/pki/whatever on Fedora, &c.  But that won't happen immediately --
not pkgsrc-2023Q3.

(mozilla-rootcerts-openssl is a different story.  Nothing should
depend on this.  I just fixed the one case in pkgsrc of such an
incorrect dependency.  The new postinstall item for certctl(8) should
gracefully handle an existing mozilla-rootcerts-openssl install,
though.  If you want to let certctl(8) take over, you will have to
deinstall mozilla-rootcerts-openssl.)