Re: How to handle updates to mozilla-rootcerts?

[Greg Troxel <gdt%lexort.com@localhost>]

Havard Eidnes <he%NetBSD.org@localhost> writes:

> Hi,
>
> I noticed in my latest pkgsrc update that I got a new version of
> the mozilla-rootcerts package installed, a diff of "old vs new" gave:
>
> -mozilla-rootcerts-1.0.20170121nb6 Root CA certificates from the Mozilla Project
> +mozilla-rootcerts-1.0.20180111 Root CA certificates from the Mozilla Project
>
> Is any action on my (the operator's) side required to effect this
> update?  I suspect "yes", and the reason I ask is that "pkg_info
> mozilla-rootcerts" says

Two thoughts:

  The use of MESSAGE (in all cases) is basically a bug.  Packages get
  installed indirectly, via pkgin, etc., and the notion that there is a
  human to read messages is often wrong.  So we should figure out a way
  to handle this that enables removing MESSAGE, and then actually remove
  MESSAGE.

  mozilla-rootcerts is particuarly difficult, because there is an intent
  to make a security-relevant configuration change.  If someone installs
  it on purpose, and it does that change, that that seems ok.  But, we
  have many situations where it is a dependency of some other program.
  The idea that you install some random package and as a side effect the
  set of configured system trust anchors changes is not ok.  So we
  either need some explicit user choice to let mozilla-rootcerts control
  system trust anchors, or a rule that it can't be a dependency.


One way out would be to have another package, perhaps
mozilla-rootcerts-install, that depends on mozilla-rootcerts and
actually installs the certs, and somehow is triggered if
mozilla-rootcerts is reinstalled.  Or some config file that tells
mozilla-rootcerts that the user has asked for the provided certs to be
configured as trust anchors.    I think that mozilla-rootcerts-openssl
does this, but I'm not quite sure as this entire openssl setup is a wee
bit too complicated.