Summary: | security/ca_root_nss pkg-message claims to use symlinks but mostly doesn't | ||||||
---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | Jeremy Chadwick <jdc> | ||||
Component: | Individual Port(s) | Assignee: | Jochen Neumeister <joneum> | ||||
Status: | Open --- | ||||||
Severity: | Affects Only Me | CC: | des, fbsdbugs4, freebsd, joneum, rosenke, w.schwarzenfeld | ||||
Priority: | --- | Flags: | fbsdbugs4:
maintainer-feedback?
|
||||
Version: | Latest | ||||||
Hardware: | Any | ||||||
OS: | Any | ||||||
Attachments: |
|
Description
Jeremy Chadwick
2018-05-27 18:37:34 UTC
what is the current status? Does ports-secteam have to be active here? ping! No answer to my question from 2019-02-15. Closed Re-opening because this problem has not gone away. I don't know why FreeBSD project members would think that. You can verify the problem yourself; the initial report contains the details. ports-secteam@ is the maintainer of this port. I do not know if "they should be involved", as I suspect there is only 1 person in that team who actually maintains this port. No idea who that is. To recap: the problem is explained in the description of this bug, and at the end of my initial comment: > Thus: either the message is wrong/incorrect, or something changed between when the message was written and present that removed use of symlinks and instead uses literal copies. > I reviewed the Makefile, target do-install, and all I see being done symlink-wise is for .sample files. I'm not even sure what's generating the non-.sample files... So: either a) pkg-message need to be updated to reflect the truth, or b) actual symlinks need to be used everywhere and not copies. I just ran into this problem having discovered that there was an outdated cert.pem from 2015 in /usr/local/etc/ssl and only a cert.pem.sample -> ../../share/certs/ca-root-nss.crt link which is why using fetch for sites with the new Let's Encrypt root certificate were failing. The package message is wrong. Created attachment 232249 [details]
example patch for ca_root_nss
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=8c042351fc7f0b70658c9bb1207a781b1f0fb10b commit 8c042351fc7f0b70658c9bb1207a781b1f0fb10b Author: Jochen Neumeister <joneum@FreeBSD.org> AuthorDate: 2022-03-13 12:02:55 +0000 Commit: Jochen Neumeister <joneum@FreeBSD.org> CommitDate: 2022-03-13 12:05:08 +0000 security/ca_root_nss: Update to 3.76 Update to 3.76 and fix do-install (1) PR: 228550 (1) Approved by: ports-secteam (with hat) Sponsored by: Netzkommune GmbH security/ca_root_nss/Makefile | 6 +++--- security/ca_root_nss/distinfo | 6 +++--- security/ca_root_nss/pkg-plist | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) This is now broken again. On a 13.3-RELEASE-p2 system, we now find 3 physical copies of the certificate: root@host:~ # find / \( -name "cert.pem" -or -name "ca-root-nss.crt" \) -ls 50 1536 -rw-r--r-- 1 root wheel 746820 Oct 10 02:03 /usr/local/share/certs/ca-root-nss.crt 30 1536 -rw-r--r-- 1 root wheel 746820 Oct 10 02:03 /usr/local/etc/ssl/cert.pem 51 1536 -rw-r--r-- 1 root wheel 746820 Oct 10 02:03 /usr/local/openssl/cert.pem 201237 0 lrwxr-xr-x 1 root wheel 43 Oct 10 02:03 /etc/ssl/cert.pem -> ../../usr/local/share/certs/ca-root-nss.crt root@host:~ # pkg info | grep ca_root_nss ca_root_nss-3.93_2 Root certificate bundle from the Mozilla Project I am not sure if this has to do with the changes Dag-Erling has made to the port. I add him to this PR for his opinion. |