> Date: Sun, 3 Sep 2023 12:21:23 -0700 (PDT)
> From: Paul Goyette
>
> If I migrate to this new world order (ie, I delete existing package
> and clean out the /etc/openssl/certs directory), what happens to any
> packages that currently depend on mozilla-rootcerts? Will they
> somehow magically no
I'm trying to make sure this will provide a seamless fresh install and
upgrade path so that if you were already managing /etc/openssl/certs,
it stays that way, but if you weren't, certctl(8) takes over and makes
the Mozilla trust anchors available. And I'd like to get this into 10
ASAP.
Sounds
> Date: Mon, 28 Aug 2023 10:41:32 +0200
> From: Manuel Bouyer
>
> Maybe postinstall should check the /etc/openssl/certs.conf existance,
> and fail the 'fix opensslcerts' asking for it to be manually created;
> as we do for e.g. uid/gid if some are missing ?
I split it into two postinstall items:
Taylor R Campbell writes:
> The critical part I had missed is that certctl can claim _either_ a
> directory it has already claimed, _or_ an empty directory, so it works
> for new installations and to update pristine but old installations.
Sorry, I should have said that out loud; I was thinking t
> Date: Mon, 28 Aug 2023 08:42:58 -0400
> From: Greg Troxel
>
> Taylor R Campbell writes:
>
> > How is using /etc/openssl/certs/.certctl as the token different from
> > using /etc/openssl/certs.conf as the token?
>
> Because normal updates merge etc in various ways, and if certs.conf
> comes a
What about certctl.conf in the etc set defaulting to "manual" and sysinst
(optionally?) changing it to automatic mode?
Of course, then, updating to -10 wouldn't give you automatic mode.
The other alternative is to decide that we are going to do unsafe things
and to put it super loudly in the release notes that any
sysadmin-configured trust anchors will be blown away. Compared to
pkgdb, I expect that most admins both have backups, and have such certs
elsewhere, and recovery is not
Taylor R Campbell writes:
> How is using /etc/openssl/certs/.certctl as the token different from
> using /etc/openssl/certs.conf as the token?
Because normal updates merge etc in various ways, and if certs.conf
comes along with that (because it is in etc.tgz) then that is automatic
and not an ad
Taylor R Campbell writes:
> Currently, if /etc/openssl/certs.conf doesn't exist, `certctl rehash'
> (the crux of `postinstall fix opensslcerts') will print an error
> message and then exit with status 0. This combination is a bug --
> need to think a bit about it, but probably better to exit non
> Date: Mon, 28 Aug 2023 06:30:05 -0400
> From: Greg Troxel
>
> Maybe this is too much, but perhaps certctl should look for a .certctl
> in /etc/openssl/certs and only if present rm/replace. Or really only
> limit the rm; adding to an empty dir is fine. Basically a token that
> says the dir is
Manuel Bouyer writes:
>> The etc.tgz set, however, will have /etc/openssl/certs.conf. So if
>> you naively unpack etc.tgz, `postinstall fix' will clobber your
>> /etc/openssl/certs directory.
>
> As it will clobber others /etc/ files, so that's fine.
Maybe this is too much, but perhaps certct
On Sun, Aug 27, 2023 at 10:53:58PM +, Taylor R Campbell wrote:
> > Date: Sat, 26 Aug 2023 19:15:01 +0200
> > From: Manuel Bouyer
> >
> > On Sat, Aug 26, 2023 at 04:48:59PM +, Taylor R Campbell wrote:
> > > [...]
> > > If you currently use security/mozilla-rootcerts or
> > > security/ca-ce
On Sun, Aug 27, 2023 at 10:53:58PM +, Taylor R Campbell wrote:
> Currently, if /etc/openssl/certs.conf doesn't exist, `certctl rehash'
> (the crux of `postinstall fix opensslcerts') will print an error
> message and then exit with status 0. This combination is a bug --
> need to think a bit ab
> Date: Sat, 26 Aug 2023 19:15:01 +0200
> From: Manuel Bouyer
>
> On Sat, Aug 26, 2023 at 04:48:59PM +, Taylor R Campbell wrote:
> > [...]
> > If you currently use security/mozilla-rootcerts or
> > security/ca-certificates (or security/mozilla-rootcerts-openssl) to
> > populate /etc/openssl/c
On Sat, Aug 26, 2023 at 04:48:59PM +, Taylor R Campbell wrote:
> [...]
> If you currently use security/mozilla-rootcerts or
> security/ca-certificates (or security/mozilla-rootcerts-openssl) to
> populate /etc/openssl/certs, and you want to continue to use it, you
> will have to put the line `m
> Date: Sat, 26 Aug 2023 08:20:50 -0700 (PDT)
> From: Paul Goyette
>
> OK, I tried to read and understand the thread, but not really sure I
> succeeded with the understanding part. (In fact, i'm pretty sure I
> failed that part, miserably.)
This is about enabling TLS clients -- like ftp(1), pkg
OK, I tried to read and understand the thread, but not really sure I
succeeded with the understanding part. (In fact, i'm pretty sure I
failed that part, miserably.)
I've got a simple set-up here, running postfix and pine for Email, and
of course f-fox for browsing. I've never done anything (at
17 matches
Mail list logo
