[MacPorts] #52508: gnutls @3.4.15 should rely on p11-kit for trust store

MacPorts noreply at macports.org
Wed Oct 5 09:02:18 CEST 2016 

#52508: gnutls @3.4.15 should rely on p11-kit for trust store
---------------------------------+--------------------------------
 Reporter:  leonardo.schenkel@…  |      Owner:  macports-tickets@…
     Type:  defect               |     Status:  new
 Priority:  Normal               |  Milestone:
Component:  ports                |    Version:  2.3.4
 Keywords:                       |       Port:  gnutls
---------------------------------+--------------------------------
 The upstream default for `gnutls` is that it relies on `p11-kit` as the
 default trust store. By using `p11-kit` as the trust store, `gnutls`
 automatically inherits the following features:
 - automatically recognizes all the system-provided CA roots configured at
 build time
 - recognizes any other trusted certificates that are be available in
 hardware tokens and marked as such
 - allows the administrator to customize the trust for any certificate
 and/or blacklist them (for example, by adding them to
 `${prefix}/etc/openssl/blacklist`)

 At present the port overrides the default configuration and forces
 `gnutls` to use the curl CA bundle file exclusively, which turns off all
 the features above besides the first. I am attaching a patch that changes
 the configuration back to the upstream default so the other two features
 are re-enabled.

 Note that the proposed change will have absolutely no impact to any
 existing users because:
 - `p11-kit` in MacPorts is configured to use (and has a hard dependency
 on) `curl-ca-bundle`, and uses the bundle as the trust store, so
 installing `gnutls` will still result on `curl-ca-bundle` being installed
 and the exact same set of certificates will end up being in the trust
 store by default
 - `p11-kit` is already a dependency of GnuTLS so there's no additional
 dependencies being introduced

 As a power user that both uses hardware tokens and customizes the trust of
 the default set of root certificates (mainly by blacklisting some), I miss
 these two features dearly. I think re-enabling them is a no-brainer since
 not only it does not affect the experience of 'regular' users but it also
 brings the port closer to the default upstream behaviour.

-- 
Ticket URL: <https://trac.macports.org/ticket/52508>
MacPorts <https://www.macports.org/>
Ports system for the Mac operating system

More information about the macports-tickets mailing list