Created attachment 228052 [details] Patch to upgrade This release addresses an automatic re-salting after a migration from 1.4 and an error manifesting as a key_data_update failure in the logs where a retired key wasn’t removed from the signer configuration in time in certain circumstances. Also an RPM is now provided for RHEL/CentOS distros at the same download location. Issues * OPENDNSSEC-955: Prevent concurrency between certain valid PKCS#11 HSM operations to avoid some keys to be (transiently) unavailable. * OPENDNSSEC-956: Harden signing procedure to still sign zones for which there are unused keys specified in the zone which are unavailable. * OPENDNSSEC-957: Fix exit code signer daemon to not always report failure. * OPENDNSSEC-958: Fix immediate resalting after migration from 1.4. * OPENDNSSEC-959: Emit warning on ods-kaspcheck for NSEC iteration count that is deemed too high. * SUPPORT-265: Resolve conflict when deleting keys from HSM whilst also performing step in key roll process. Typically a message “key_data_update failed” is present in logs. Provided RedHat/CentOS spec file in contrib directory.
Hello, Portclippy seems that some variables need to be better sorted and organized in their sections. Portfmt could give some adjustments as well. Could you try this tools?
(In reply to Nuno Teixeira from comment #1) I've always used portlint and that doesn't seems to have any problems but feel free to make adjustments as you seem fit. Meanwhile, I'll take a look at portfmt.
All URLs to opendnssec.org also redirects to https
(In reply to Jaap Akkerhuis from comment #2) Remember that portlint, portclippy and portfmt are tools that we do not have to follow blindly like any other tool. 1. portlint: OK 2. portclippy Makefile: --- # PORTNAME block PORTNAME DISTVERSION CATEGORIES MASTER_SITES PKGNAMESUFFIX # Maintainer block MAINTAINER COMMENT # License block LICENSE LICENSE_FILE # Dependencies BUILD_DEPENDS LIB_DEPENDS # USES block USES USE_RC_SUBR # Configure block GNU_CONFIGURE CONFIGURE_ARGS # Make block +INSTALL_TARGET -SUB_FILES # Conflicts CONFLICTS # Standard bsd.port.mk variables +SUB_FILES # Users and groups block USERS GROUPS # Options definitions OPTIONS_DEFINE OPTIONS_DEFAULT -OPTIONS_SUB OPTIONS_SINGLE OPTIONS_SINGLE_DB +OPTIONS_SUB # Options descriptions +MYSQL_DESC SOFTHSM_DESC -MYSQL_DESC SQLITE_DESC # Options helpers +MYSQL_USES MYSQL_CONFIGURE_ON +SOFTHSM_RUN_DEPENDS +SOFTHSM_CONFIGURE_ON +SQLITE_BUILD_DEPENDS -MYSQL_USES SQLITE_USES SQLITE_CONFIGURE_ON -SQLITE_BUILD_DEPENDS -SOFTHSM_CONFIGURE_ON -SOFTHSM_RUN_DEPENDS -INSTALL_TARGET --- Seems fine to me this changes 3. portfmt -D Makefile: --- --- Makefile +++ Makefile @@ -31,23 +31,22 @@ GROUPS= opendnssec PORTDOCS= MIGRATION NEWS README.md -MIGRATE= README.md find_problematic_zones.sql \ - convert_mysql mysql_convert.sql \ - convert_sqlite sqlite_convert.sql +MIGRATE= README.md find_problematic_zones.sql convert_mysql \ + mysql_convert.sql convert_sqlite sqlite_convert.sql CONVERT= convert_mysql_to_sqlite convert_sqlite_to_mysql SCHEMAS= schema.mysql schema.sqlite -OPTIONS_DEFINE= SOFTHSM DOCS +OPTIONS_DEFINE= DOCS SOFTHSM OPTIONS_DEFAULT= SQLITE OPTIONS_SUB= yes OPTIONS_SINGLE= DB -OPTIONS_SINGLE_DB= SQLITE MYSQL +OPTIONS_SINGLE_DB= MYSQL SQLITE -SOFTHSM_DESC= SoftHSM cryptographic store for PKCS \#11 interface +SOFTHSM_DESC= SoftHSM cryptographic store for PKCS \#11 interface -MYSQL_DESC= Use MYSQL backend -SQLITE_DESC= Use SQLite backend +MYSQL_DESC= Use MYSQL backend +SQLITE_DESC= Use SQLite backend MYSQL_CONFIGURE_ON= --with-enforcer-database=mysql MYSQL_USES= mysql @@ -59,7 +58,7 @@ SOFTHSM_CONFIGURE_ON= --with-pkcs11-softhsm=${LOCALBASE}/lib/softhsm/libsofthsm2.so SOFTHSM_RUN_DEPENDS= softhsm2>=2.5.0:security/softhsm2 -INSTALL_TARGET= install-strip +INSTALL_TARGET= install-strip pre-build: ${REINPLACE_CMD} -e "s|\(-lcrypto\)|-L${OPENSSLLIB} \1|g" \ --- - MIGRATE part is ok with better look at 72 columns - OPTIONS_DEFINE is ok with alphabetical order - OPTIONS_SINGLE_DB is ok with alphabetical order - TABS are optional portfmt is a bit tricky and I always be carefull with this tool. Cheers
Created attachment 228658 [details] Patch to upgrade This new version of the patch has a Makefile that satisfies portfmt(1). Can we commit this now?
Hello, IMO, 1. pkg-descr WWW should be https://URL instead of http://URL because actual URL redirects to https:// like Daniel said 2. There is something to order in Makefile: - move INSTALL_TARGET to Make block - move SUB_FILES to Standard bsd.port.mk variables - alpphabetical order in Options definitions, descriptions and helpers --- # Make block +INSTALL_TARGET -SUB_FILES # Conflicts CONFLICTS # Standard bsd.port.mk variables +SUB_FILES # Users and groups block USERS GROUPS # Options definitions OPTIONS_DEFINE OPTIONS_DEFAULT -OPTIONS_SUB OPTIONS_SINGLE OPTIONS_SINGLE_DB +OPTIONS_SUB # Options descriptions +MYSQL_DESC SOFTHSM_DESC -MYSQL_DESC SQLITE_DESC # Options helpers +MYSQL_USES MYSQL_CONFIGURE_ON +SOFTHSM_RUN_DEPENDS +SOFTHSM_CONFIGURE_ON +SQLITE_BUILD_DEPENDS -MYSQL_USES SQLITE_USES SQLITE_CONFIGURE_ON -SQLITE_BUILD_DEPENDS -SOFTHSM_CONFIGURE_ON -SOFTHSM_RUN_DEPENDS -INSTALL_TARGET --- Cheers
Created attachment 228692 [details] Patch to upgrade Yet another one
Take.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=0dc3b20833d713cf01322e60f2b6eb8b4581e8cc commit 0dc3b20833d713cf01322e60f2b6eb8b4581e8cc Author: Jaap Akkerhuis <jaap@NLnetLabs.nl> AuthorDate: 2021-10-17 13:39:26 +0000 Commit: Yasuhiro Kimura <yasu@FreeBSD.org> CommitDate: 2021-10-18 07:13:48 +0000 dns/opendnssec2: Update to 2.1.10 * Pet portclippy * Reformat Makefile with portfmt ReleaseNotes: https://www.opendnssec.org/2021/09/opendnssec-2-1-10/ PR: 258631 Approved by: ygy (mentor) Differential Revision: https://reviews.freebsd.org/D32536 dns/opendnssec2/Makefile | 37 ++++++++++++++++--------------------- dns/opendnssec2/distinfo | 6 +++--- 2 files changed, 19 insertions(+), 24 deletions(-)
Committed. Thanks!