Received: by mail.netbsd.org (Postfix, from userid 605) id E57B084D98; Fri, 27 Mar 2020 13:42:54 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 6F72584CD3 for ; Fri, 27 Mar 2020 13:42:54 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id 5F_gteXRV5UE for ; Fri, 27 Mar 2020 13:42:54 +0000 (UTC) Received: from cvs.NetBSD.org (ivanova.NetBSD.org [IPv6:2001:470:a085:999:28c:faff:fe03:5984]) by mail.netbsd.org (Postfix) with ESMTP id E36CF84D2C for ; Fri, 27 Mar 2020 13:42:53 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id B3678FB27; Fri, 27 Mar 2020 13:42:53 +0000 (UTC) Content-Transfer-Encoding: 7bit Content-Type: multipart/mixed; boundary="_----------=_1585316573154730" MIME-Version: 1.0 Date: Fri, 27 Mar 2020 13:42:53 +0000 From: "Greg Troxel" Subject: CVS commit: pkgsrc/security/mozilla-rootcerts-openssl To: pkgsrc-changes@NetBSD.org Reply-To: gdt@netbsd.org X-Mailer: log_accum Message-Id: <20200327134253.B3678FB27@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk List-Unsubscribe: This is a multi-part message in MIME format. --_----------=_1585316573154730 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Module Name: pkgsrc Committed By: gdt Date: Fri Mar 27 13:42:53 UTC 2020 Modified Files: pkgsrc/security/mozilla-rootcerts-openssl: DESCR Log Message: mozilla-rootcerts-openssl: Revise and extend DESCR Explain the purpose, and then explain the mechanism and why it is somewhat and very irregular in the pkgsrc and native cases. Point to mozilla-rootcerts as providing certificates without configuring them as trust anchors. To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 pkgsrc/security/mozilla-rootcerts-openssl/DESCR Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. --_----------=_1585316573154730 Content-Disposition: inline Content-Length: 1642 Content-Transfer-Encoding: binary Content-Type: text/x-diff; charset=us-ascii Modified files: Index: pkgsrc/security/mozilla-rootcerts-openssl/DESCR diff -u pkgsrc/security/mozilla-rootcerts-openssl/DESCR:1.1 pkgsrc/security/mozilla-rootcerts-openssl/DESCR:1.2 --- pkgsrc/security/mozilla-rootcerts-openssl/DESCR:1.1 Sat Apr 18 20:21:25 2015 +++ pkgsrc/security/mozilla-rootcerts-openssl/DESCR Fri Mar 27 13:42:53 2020 @@ -1,7 +1,18 @@ -This is a hack for managing the certificate files installed into -the OpenSSL certs directory by the mozilla-rootcerts package. +This package configures the Mozilla rootcerts bundle CAs as trust +anchors in OpenSSL, so that programs using OpenSSL will be able to use +them to validate SSL certificates. -For native OpenSSL it operates directly in /etc/ssl/certs (because it -has to) and not under the pkgsrc prefix, and even for pkgsrc OpenSSL -it still scribbles in $PREFIX/etc/ssl/certs where packages normally -shouldn't. Be advised. +For pkgsrc-provided OpenSSL, this package operates modifies +${PREFIX}/etc/ssl/certs as installed by another package. This is +somewhat irregular as packages should not modify content under etc. + +For native OpenSSL, it modifies the base system OpenSSL certificate +directory, e.g. /etc/openssl/certs or /etc/ssl/certs. This is +necessary to configure trust anchors for native OpenSSL, so that +progams in pkgsrc can use these CA certs in validation. Modification +of /etc is very irregular as pkgsrc should not write anything outside +of ${PREFIX}. + +See also the mozilla-rootcerts package (which this one depends on) for +placing the Mozilla CA list in the filesystem but not configuring it +into OpenSSL. \ No newline at end of file --_----------=_1585316573154730--