> Date: Mon, 28 Aug 2023 08:42:58 -0400
> From: Greg Troxel
>
> Taylor R Campbell writes:
>
> > How is using /etc/openssl/certs/.certctl as the token different from
> > using /etc/openssl/certs.conf as the token?
>
> Because normal updates merge etc in various ways, and if certs.conf
> comes a
What about certctl.conf in the etc set defaulting to "manual" and sysinst
(optionally?) changing it to automatic mode?
Of course, then, updating to -10 wouldn't give you automatic mode.
The other alternative is to decide that we are going to do unsafe things
and to put it super loudly in the release notes that any
sysadmin-configured trust anchors will be blown away. Compared to
pkgdb, I expect that most admins both have backups, and have such certs
elsewhere, and recovery is not
Taylor R Campbell writes:
> How is using /etc/openssl/certs/.certctl as the token different from
> using /etc/openssl/certs.conf as the token?
Because normal updates merge etc in various ways, and if certs.conf
comes along with that (because it is in etc.tgz) then that is automatic
and not an ad
Taylor R Campbell writes:
> Currently, if /etc/openssl/certs.conf doesn't exist, `certctl rehash'
> (the crux of `postinstall fix opensslcerts') will print an error
> message and then exit with status 0. This combination is a bug --
> need to think a bit about it, but probably better to exit non
> Date: Mon, 28 Aug 2023 06:30:05 -0400
> From: Greg Troxel
>
> Maybe this is too much, but perhaps certctl should look for a .certctl
> in /etc/openssl/certs and only if present rm/replace. Or really only
> limit the rm; adding to an empty dir is fine. Basically a token that
> says the dir is
Manuel Bouyer writes:
>> The etc.tgz set, however, will have /etc/openssl/certs.conf. So if
>> you naively unpack etc.tgz, `postinstall fix' will clobber your
>> /etc/openssl/certs directory.
>
> As it will clobber others /etc/ files, so that's fine.
Maybe this is too much, but perhaps certct
On Sun, Aug 27, 2023 at 10:53:58PM +, Taylor R Campbell wrote:
> > Date: Sat, 26 Aug 2023 19:15:01 +0200
> > From: Manuel Bouyer
> >
> > On Sat, Aug 26, 2023 at 04:48:59PM +, Taylor R Campbell wrote:
> > > [...]
> > > If you currently use security/mozilla-rootcerts or
> > > security/ca-ce
On Sun, Aug 27, 2023 at 10:53:58PM +, Taylor R Campbell wrote:
> Currently, if /etc/openssl/certs.conf doesn't exist, `certctl rehash'
> (the crux of `postinstall fix opensslcerts') will print an error
> message and then exit with status 0. This combination is a bug --
> need to think a bit ab
