while trying to bootstrap Gentoo Prefix, I ran into this issue where re-emerging ca-certificates resulted into collisions in /etc/ssl/certs. The problem appears to be due to openssl not being available at the time ca-certificates was emerged: /Volumes/Scratch/Gentoo/bootstrap64-20160124/usr/bin/c_rehash: rehashing skipped ('openssl' program not available) I know openssl is potentially a heavy dependency. Unless there is another way to solve these collisions, either ca-certificates or c_rehash should probably depend on openssl to avoid this.
that is the c_rehash program which comes from the c_rehash package. ca-certificates itself does not run openssl at all.
are you ok with adding openssl as dependency to c_rehash?
openssl has an RDEPEND on c_rehash, so c_rehash would create a loop. we probably want to make c_rehash a PDEPEND in openssl, and make openssl an RDEPEND in c_rehash.
added to RDEPEND here: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=09d5a7b0ce9ff87dc6d8ad80f25e0028a55f3770 but need to update openssl to move it to PDEPEND otherwise we have a circular dep. with all the other business going on currently with openssl, this will take a bit.
This is no longer a problem at this point (or, we're able to work around it successfully).