Re: security/mozilla-rootcerts-openssl post certificate inclusion in base
On Tue, 26 Sept 2023 at 12:21, Greg Troxel wrote: > > Chavdar Ivanov writes: > > > lack cause anything? On top of this, I seem not to be able to remove > > mozilla-rootcerts-openssl, as it is required by hs-x509-system, itself > > required eventually by converters/pandoc. (I sorted this out by > > That's a bug. It is against policy for a package to require > mozilla-rootcerts-openssl. > > > replacing the latter package after cvs updating - the NetBSD > > condiitional in the Makefile has been removed so after that nothing > > stopped me from removing mozilla-rootcerts-openssl; leaving the > > comments in the mail as someone else may find himself in the same > > situation). > > And it's fixed. sure, > > > The query is then about the 198 certificates present in the package > > but missing in base - are they likely to cause any problems? > > I would uninstall mozilla-rootcerts-openssl and then make sure your cert > dir is ok. > > Are you saying that mozilla-rootcerts-openssl has CAs that base does > not, separately from the history of how your system got be how it is? I just did a clean installation of -current from yesterday. This leaves /etc/openssl/certs with one single file and 280 links to files and links is /usr/share/certs/mozilla. However, the real files in that directory are 170 - exactly the number of real files in the package (which contains 169 links and 170 files). As the number of files appears the same, I'd say that base provides what is needed, even if it looks much different... I will replace /etc/openssl/certs on my historical system with the contents from the cleanly installed one, that should do the job. I believe no other package should have added anything there. The confusion was created by the package which was still dependent on mozilla-rootcerts-openssl at the time of invoking 'pkg_admin rebuild' prior to pkg_rolling-replace. There are other small bits which can cause trouble - e.g. my yesterday's -current works just fine (as a VMWare Workstation guest), but when I selected the option of setting up pkgin during the installation (my build host serves it locally via ftp), it did all the setting up but could not actually invoke pkgin - as it was missing /usr/lib/libarchive.so.4.0 - the system now has 5.0 and pkgin was still not updated - I was about to start the rolling replace. I copied the older version onto the new system until the rolling replace completes on the build one. It is -current, after all; I build it usually every two weeks or so and it usually is very stable, but one has to be prepared to deal with such issues from time to time. --
Re: security/mozilla-rootcerts-openssl post certificate inclusion in base
Chavdar Ivanov writes: > lack cause anything? On top of this, I seem not to be able to remove > mozilla-rootcerts-openssl, as it is required by hs-x509-system, itself > required eventually by converters/pandoc. (I sorted this out by That's a bug. It is against policy for a package to require mozilla-rootcerts-openssl. > replacing the latter package after cvs updating - the NetBSD > condiitional in the Makefile has been removed so after that nothing > stopped me from removing mozilla-rootcerts-openssl; leaving the > comments in the mail as someone else may find himself in the same > situation). And it's fixed. > The query is then about the 198 certificates present in the package > but missing in base - are they likely to cause any problems? I would uninstall mozilla-rootcerts-openssl and then make sure your cert dir is ok. Are you saying that mozilla-rootcerts-openssl has CAs that base does not, separately from the history of how your system got be how it is?
security/mozilla-rootcerts-openssl post certificate inclusion in base
Hi, When I upgraded my -current build host to the version with included in base certificates, to complete the check process I just renamed /etc/openssl/certs to .../certs.OLD and the script then installed the supplied certificates as expected. Now 'pkg_admin check' finds a lot of missing files from mozilla-rootcerts-openssl, together with many that are still present: $ pkg_info -L mozilla-rootcerts-openssl-2.12 | grep ^/ | xargs ls -1 2>&1 | grep No\ such | wc -l 198 $ pkg_info -L mozilla-rootcerts-openssl-2.12 | grep ^/ | xargs ls -1 2>&1 | grep -v No\ such | wc -l 141 $ ls -1 /etc/openssl/certs | wc -l 281 There are a lot of common to both sets of certificates and quite a few that belong to only one of them. So far, with the renamed certs directory from the pkgsrc package the system has been working as expected, I haven't noticed any problems accessing sites etc., but I am not clear as far as these 198 files are concerned - could their lack cause anything? On top of this, I seem not to be able to remove mozilla-rootcerts-openssl, as it is required by hs-x509-system, itself required eventually by converters/pandoc. (I sorted this out by replacing the latter package after cvs updating - the NetBSD condiitional in the Makefile has been removed so after that nothing stopped me from removing mozilla-rootcerts-openssl; leaving the comments in the mail as someone else may find himself in the same situation). The query is then about the 198 certificates present in the package but missing in base - are they likely to cause any problems? Chavdar --