262755 – security/ca_root_nss: can no longer modify ${PREFIX}/etc/ssl/cert.pem

Bug 262755 - security/ca_root_nss: can no longer modify ${PREFIX}/etc/ssl/cert.pem

Summary: security/ca_root_nss: can no longer modify ${PREFIX}/etc/ssl/cert.pem

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	Jochen Neumeister

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-03-24 08:50 UTC by Franco Fichtner
Modified:	2023-09-20 08:27 UTC (History)
CC List:	6 users (show)

See Also:	228550

Flags:	bugzilla: maintainer-feedback? (ports-secteam)

Attachments
ETCSYMLINK fix (1.84 KB, patch) 2022-04-22 09:21 UTC, Franco Fichtner	no flags	Details \| Diff
revisited patch (1.31 KB, patch) 2022-04-26 08:46 UTC, Franco Fichtner	no flags	Details \| Diff
revisited patch, corrected (1.88 KB, patch) 2022-04-26 08:49 UTC, Franco Fichtner	franco: maintainer-approval?	Details \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Franco Fichtner 2022-03-24 08:50:51 UTC

Since this cert.pem like /etc/ssl/cert.pem is used by services it must be adjustable like it previously was for @sample use.  Now the file is registered by the package and ends up being rewritten on upgrades.  ETCSYMLINK helps to edit contents of /etc/ssl/cert.pem still, but for ${PREFIX}/etc/ssl/cert.pem this is no longer possible.

From the change in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=228550 I can't really agree on the whole assumption made for ETCSYMLINK option turned off in this regard.

Comment 1 Sergey Osipov 2022-04-22 08:38:52 UTC

It is important for me too. Could you change this back?

-	${LN} -sf ../../${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/etc/ssl/cert.pem.sample
+	${LN} -sf ../../${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/etc/ssl/cert.pem

Comment 2 Franco Fichtner 2022-04-22 09:21:19 UTC

Created attachment 233392 [details]
ETCSYMLINK fix

Here is a patch that fixes the use case of ETCSYMLINK=off while trying to emulate what the original commit did.  I'm not sure about others CC'ed to this thread, but since there is no official statement I'm sharing this as a base for discussion.


Cheers,
Franco

Comment 3 Franco Fichtner 2022-04-22 09:22:57 UTC

(there may be an error in the link structure but as I said I'm not a user of ETCSYMLINK and I did not break it)

Comment 4 Sergey Osipov 2022-04-22 13:01:49 UTC

(In reply to Franco Fichtner from comment #2)
Thank you for your effort. It will solve my problem.

Comment 5 Franco Fichtner 2022-04-26 08:46:03 UTC

Created attachment 233493 [details]
revisited patch

Had some time today to test and this one seems to do it.

Comment 6 Franco Fichtner 2022-04-26 08:49:14 UTC

Created attachment 233494 [details]
revisited patch, corrected

oops, uploaded partial patch

Comment 7 commit-hook freebsd_committer

2022-05-28 13:59:34 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=ccb9f933491611faff4958a14b0f03ae64e374bb

commit ccb9f933491611faff4958a14b0f03ae64e374bb
Author:     Jochen Neumeister <joneum@FreeBSD.org>
AuthorDate: 2022-05-28 13:56:16 +0000
Commit:     Jochen Neumeister <joneum@FreeBSD.org>
CommitDate: 2022-05-28 13:59:00 +0000

    security/ca_root_nss: Update to 3.78

    Update to 3.78
    changelog: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/hQUjX_jwbEk

    While here, fix a problem with ETCSYMLINK (1)

    PR:     262755 (1)
    Sponsored by:   Netzkommune GmbH

 security/ca_root_nss/Makefile  | 8 +++++---
 security/ca_root_nss/distinfo  | 6 +++---
 security/ca_root_nss/pkg-plist | 6 ++++--
 3 files changed, 12 insertions(+), 8 deletions(-)