Bug 237986

Summary: lang/go should RUN_DEPENDS on ca_root_nss to reliably fetch imports
Product: Ports & Packages Reporter: hartzell
Component: Individual Port(s)Assignee: Julien Laffaye <jlaffaye>
Status: Closed Works As Intended    
Severity: Affects Many People CC: dmgk
Priority: --- Flags: bugzilla: maintainer-feedback? (jlaffaye)
Version: Latest   
Hardware: Any   
OS: Any   

Description hartzell 2019-05-19 21:08:57 UTC 
Attempting to build go programs that import packages hosted by golang.org fails unless ca_root_nss is installed.

E.g.

go: golang.org/x/sync@v0.0.0-20190423024810-112230192c58: unrecognized import path "golang.org/x/sync" (https fetch: Get https://golang.org/x/sync?go-get=1: x509: certificate signed by unknown authority)

Presumably other sites that use unrecognized certs will also fail.

I tripped over this when building in synth, which sets up clean environments.
Comment 1 Dmitri Goutnik freebsd_committer freebsd_triage 2019-05-22 22:27:59 UTC 
(In reply to hartzell from comment #0)

Network access is not allowed during build, so missing ca_root_nss shouldn't prevent building of any correctly written port. And even lang/go would have a dependency on security/ca_root_nss, the next step for go will be to fetch sources using git (or hg/svn/bzr, depending on the repo) which would be missing too.
Comment 2 hartzell 2019-05-22 22:52:41 UTC 
> Network access is not allowed during the build, [...]

I wasn't clear, this is not a poudriere build, but as regular user of the go package, once it's been installed.

Your next point makes sense, the go port should no more have a dependency on the `security/ca_root_nss` that it should on the other bits involved in the `go build` step (or `go mod download`).

It's up the end user to install them separately if they're desired.

That makes sense.

I believe that this can be closed.  Should I do it or should "someone else"?