[pkgsrc/trunk]: pkgsrc/security/ca-certificates security/ca-certificates: Cla...

[gdt <gdt%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/0e1ca85df588
branches:  trunk
changeset: 380612:0e1ca85df588
user:      gdt <gdt%pkgsrc.org@localhost>
date:      Fri Jun 10 13:14:10 2022 +0000

description:
security/ca-certificates: Clarify and adjust language

Point out that this is from Debian and that Debian's policy is unclear
(it's not on HOMEPAGE at least; they probably do have one).

Note that modification outside of the package's files is either to
base or to pkgsrc openssl.

Clarify that there's a supported way to exclude particular certs as
trust anchors.

diffstat:

 security/ca-certificates/DESCR |  24 ++++++++++++++++--------
 1 files changed, 16 insertions(+), 8 deletions(-)

diffs (32 lines):

diff -r 73dc41c44ecf -r 0e1ca85df588 security/ca-certificates/DESCR
--- a/security/ca-certificates/DESCR    Fri Jun 10 07:36:13 2022 +0000
+++ b/security/ca-certificates/DESCR    Fri Jun 10 13:14:10 2022 +0000
@@ -1,12 +1,20 @@
-This package provides the certificates distributed by the Mozilla
-Project and will, by default, install certificates trusted by the
-Mozilla Project in the system OpenSSL certificate store.  Modification
-of system configuration files is very irregular as pkgsrc should not
-write anything outside of ${PREFIX}.
+This package provides the root certificates distributed by the Mozilla
+Project as curated by Debian in their package of the same name, along
+with tools to manage the set of configured trust anchors for openssl.
+
+\todo Explain if Debian adds or removes, or if this is exactly the
+same set.
 
-The sysadmin can configure the list of trusted certificates and also
-add local certificates as needed by editing ca-certificates.conf and
-re-running update-ca-certificates.
+NB: Installing this package will modify the configuration of the
+openssl implementation used by pkgsrc, which is either the base system
+openssl or pkgsrc openssl.  The modification is configuring every
+certificate as a trust anchor.  Modification of system configuration
+files is very irregular as pkgsrc should not write anything outside of
+${PREFIX}.
+
+The sysadmin can exclude CA certificates from the list of trust
+anchors and also add local certificates as configured trust anchors by
+editing ca-certificates.conf and re-running update-ca-certificates.
 
 See also the mozilla-rootcerts and mozilla-rootcerts-openssl packages
 for an alternative approach.