diff options
author | gdt <gdt@pkgsrc.org> | 2022-06-10 13:14:10 +0000 |
---|---|---|
committer | gdt <gdt@pkgsrc.org> | 2022-06-10 13:14:10 +0000 |
commit | 735f0d395a7b60430cc0ec4f6a7b8b82ec762514 (patch) | |
tree | 7fbf3be1126c3f054cd167ce3e782aaee0668dab /security | |
parent | 8606938c29948de06748b832b981dd2bef246724 (diff) | |
download | pkgsrc-735f0d395a7b60430cc0ec4f6a7b8b82ec762514.tar.gz |
security/ca-certificates: Clarify and adjust language
Point out that this is from Debian and that Debian's policy is unclear
(it's not on HOMEPAGE at least; they probably do have one).
Note that modification outside of the package's files is either to
base or to pkgsrc openssl.
Clarify that there's a supported way to exclude particular certs as
trust anchors.
Diffstat (limited to 'security')
-rw-r--r-- | security/ca-certificates/DESCR | 26 |
1 files changed, 17 insertions, 9 deletions
diff --git a/security/ca-certificates/DESCR b/security/ca-certificates/DESCR index 62fe3ced40e..157ebde3796 100644 --- a/security/ca-certificates/DESCR +++ b/security/ca-certificates/DESCR @@ -1,12 +1,20 @@ -This package provides the certificates distributed by the Mozilla -Project and will, by default, install certificates trusted by the -Mozilla Project in the system OpenSSL certificate store. Modification -of system configuration files is very irregular as pkgsrc should not -write anything outside of ${PREFIX}. - -The sysadmin can configure the list of trusted certificates and also -add local certificates as needed by editing ca-certificates.conf and -re-running update-ca-certificates. +This package provides the root certificates distributed by the Mozilla +Project as curated by Debian in their package of the same name, along +with tools to manage the set of configured trust anchors for openssl. + +\todo Explain if Debian adds or removes, or if this is exactly the +same set. + +NB: Installing this package will modify the configuration of the +openssl implementation used by pkgsrc, which is either the base system +openssl or pkgsrc openssl. The modification is configuring every +certificate as a trust anchor. Modification of system configuration +files is very irregular as pkgsrc should not write anything outside of +${PREFIX}. + +The sysadmin can exclude CA certificates from the list of trust +anchors and also add local certificates as configured trust anchors by +editing ca-certificates.conf and re-running update-ca-certificates. See also the mozilla-rootcerts and mozilla-rootcerts-openssl packages for an alternative approach. |