340209 – app-misc/ca-certificates shouldn't depend on dev-libs/openssl

Bug 340209 - app-misc/ca-certificates shouldn't depend on dev-libs/openssl

Summary: app-misc/ca-certificates shouldn't depend on dev-libs/openssl

Status:	RESOLVED UPSTREAM

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	New packages (show other bugs)
Hardware:	All Linux

Importance:	High enhancement (vote)
Assignee:	Gentoo's Team for Core System packages

URL:	http://bugs.debian.org/cgi-bin/bugrep...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2010-10-09 00:03 UTC by Faustus
Modified:	2010-10-17 18:41 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Faustus 2010-10-09 00:03:26 UTC

dev-libs/openssl is in RDEPEND, but /usr/sbin/update-ca-certificates doesn't use openssl (it's a rather simple script).

Comment 1 SpanKY gentoo-dev

2010-10-09 05:50:46 UTC

(In reply to comment #0)
> /usr/sbin/update-ca-certificates doesn't use openssl

yes, it does

$ grep c_rehash /usr/sbin/update-ca-certificates
    c_rehash . > /dev/null
    c_rehash .
$ qfile /usr/bin/c_rehash
dev-libs/openssl (/usr/bin/c_rehash)

Comment 2 Faustus 2010-10-09 10:34:17 UTC

Sorry, you are right. "man update-ca-certificates" had a reference to c_rehash at the end, but "man c_rehash" yielded nothing, and I assumed that it was optional for something in other distros. Should have known better. :)

So I looked into it a bit more, and here is something interesting: c_rehash does something optional. From the manual page found here: http://www.digipedia.pl/man/doc/view/c_rehash.1ssl/

"c_rehash scans directories and takes a hash value of each .pem and .crt file in the directory. It then creates symbolic links for each of the files named by the hash value. This is useful as many programs require directories to be set up like this in order to find the certificates they require."

And in the c_rehash script itself:

    if($found == 0) {
        print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n";
        exit 0;
    }

The exit code is 0 - it's ok not to have OpenSSL installed (although the script does come with dev-libs/openssl).

So perhaps the update-ca-certificates script can be patched to check if c_rehash is available? It seems that it's possible that a user would want a system with root certificates, but without openssl (gnutls?).

I am reopening the bug to make sure you see this. :)

Comment 3 SpanKY gentoo-dev

2010-10-09 22:10:56 UTC

i dont think it's that simple.  my understanding is that if you have old hashes installed, c_rehash will clean those up as well.  and if they arent cleaned up, things get screwy fast.  so update-ca-certificates would need logic to also clean up old hashes if c_rehash isnt available.

if you still want this behavior, the best place to ask for it is at Debian's bug site since they're the maintainers of the package.  you can use their e-mail system without installing Debian or anything:
  http://www.debian.org/Bugs/Reporting

personally, i dont think the effort is worth the trade off

Comment 4 Faustus 2010-10-17 17:34:52 UTC

Thanks for the suggestion, I have contacted the maintainers. This bug is already discussed here:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=407550