Manuel Bouyer <bou...@antioche.eu.org> writes:
>> The etc.tgz set, however, will have /etc/openssl/certs.conf. So if >> you naively unpack etc.tgz, `postinstall fix' will clobber your >> /etc/openssl/certs directory. > > As it will clobber others /etc/ files, so that's fine. Maybe this is too much, but perhaps certctl should look for a .certctl in /etc/openssl/certs and only if present rm/replace. Or really only limit the rm; adding to an empty dir is fine. Basically a token that says the dir is under the control of certctl. -f can override the check and write the token. I know this sounds like extra work, but the lesson I took from the pkgdb change is that things like that this are at least 10x harder than you think. Also people will have to uninstall mozilla-rootcerts-openssl.