#52508: gnutls @3.4.15 should rely on p11-kit for trust store ---------------------------------+-------------------------------- Reporter: leonardo.schenkel@… | Owner: macports-tickets@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.3.4 Keywords: | Port: gnutls ---------------------------------+-------------------------------- The upstream default for `gnutls` is that it relies on `p11-kit` as the default trust store. By using `p11-kit` as the trust store, `gnutls` automatically inherits the following features: - automatically recognizes all the system-provided CA roots configured at build time - recognizes any other trusted certificates that are be available in hardware tokens and marked as such - allows the administrator to customize the trust for any certificate and/or blacklist them (for example, by adding them to `${prefix}/etc/openssl/blacklist`) At present the port overrides the default configuration and forces `gnutls` to use the curl CA bundle file exclusively, which turns off all the features above besides the first. I am attaching a patch that changes the configuration back to the upstream default so the other two features are re-enabled. Note that the proposed change will have absolutely no impact to any existing users because: - `p11-kit` in MacPorts is configured to use (and has a hard dependency on) `curl-ca-bundle`, and uses the bundle as the trust store, so installing `gnutls` will still result on `curl-ca-bundle` being installed and the exact same set of certificates will end up being in the trust store by default - `p11-kit` is already a dependency of GnuTLS so there's no additional dependencies being introduced As a power user that both uses hardware tokens and customizes the trust of the default set of root certificates (mainly by blacklisting some), I miss these two features dearly. I think re-enabling them is a no-brainer since not only it does not affect the experience of 'regular' users but it also brings the port closer to the default upstream behaviour. -- Ticket URL: <https://trac.macports.org/ticket/52508> MacPorts <https://www.macports.org/> Ports system for the Mac operating system