dev-libs/openssl is in RDEPEND, but /usr/sbin/update-ca-certificates doesn't use openssl (it's a rather simple script).
(In reply to comment #0) > /usr/sbin/update-ca-certificates doesn't use openssl yes, it does $ grep c_rehash /usr/sbin/update-ca-certificates c_rehash . > /dev/null c_rehash . $ qfile /usr/bin/c_rehash dev-libs/openssl (/usr/bin/c_rehash)
Sorry, you are right. "man update-ca-certificates" had a reference to c_rehash at the end, but "man c_rehash" yielded nothing, and I assumed that it was optional for something in other distros. Should have known better. :) So I looked into it a bit more, and here is something interesting: c_rehash does something optional. From the manual page found here: http://www.digipedia.pl/man/doc/view/c_rehash.1ssl/ "c_rehash scans directories and takes a hash value of each .pem and .crt file in the directory. It then creates symbolic links for each of the files named by the hash value. This is useful as many programs require directories to be set up like this in order to find the certificates they require." And in the c_rehash script itself: if($found == 0) { print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n"; exit 0; } The exit code is 0 - it's ok not to have OpenSSL installed (although the script does come with dev-libs/openssl). So perhaps the update-ca-certificates script can be patched to check if c_rehash is available? It seems that it's possible that a user would want a system with root certificates, but without openssl (gnutls?). I am reopening the bug to make sure you see this. :)
i dont think it's that simple. my understanding is that if you have old hashes installed, c_rehash will clean those up as well. and if they arent cleaned up, things get screwy fast. so update-ca-certificates would need logic to also clean up old hashes if c_rehash isnt available. if you still want this behavior, the best place to ask for it is at Debian's bug site since they're the maintainers of the package. you can use their e-mail system without installing Debian or anything: http://www.debian.org/Bugs/Reporting personally, i dont think the effort is worth the trade off
Thanks for the suggestion, I have contacted the maintainers. This bug is already discussed here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=407550