Re: pkg/58143: security/gnutls uses wrong trust anchors

["Leonardo Taccari via gnats" <gnats-admin%NetBSD.org@localhost>]

The following reply was made to PR pkg/58143; it has been noted by GNATS.

From: Leonardo Taccari <leot%NetBSD.org@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: 
Subject: Re: pkg/58143: security/gnutls uses wrong trust anchors
Date: Tue, 31 Dec 2024 11:44:53 +0100

 Hello Taylor,
 
 Taylor R Campbell writes:
 > The attached patch series creates a new mk/ssl.mk and teaches
 > security/gnutls to use it.
 >
 > I have not yet systematically changed everything that references
 > share/mozilla-rootcerts/cacert.pem or SSLCERTBUNDLE or whatever to use
 > the new mk/ssl.mk because there are some fiddly details for some
 > packages like www/curl and so this needs some care.
 >
 > But I have tested gnutls with the attached patch series (which doesn't
 > affect any other packages) and I think this incremental approach is
 > low-risk for pullup to 2024Q4.  Specifically, I ran `bmake test' (all
 > tests passed), and verified that it examines the intended path on
 > NetBSD -- both with ktrace and by moving the file out of the way and
 > confirming gnutls fails certificate validation.
 >
 > This should get some other eyeballs and I probably won't have time to
 > deal with it for another week so if someone else wants to commit, feel
 > free -- detailed commit messages and comments explaining what's going
 > on are already written.
 > [...]
 
 Looks good to me!
 
 
 Thank you very much for fixing and improving that!