Bug 262755

Summary: security/ca_root_nss: can no longer modify ${PREFIX}/etc/ssl/cert.pem
Product: Ports & Packages Reporter: Franco Fichtner <franco>
Component: Individual Port(s)Assignee: Jochen Neumeister <joneum>
Status: Closed FIXED    
Severity: Affects Only Me CC: chris, flo, joneum, kirill, pi, sipopo
Priority: --- Flags: bugzilla: maintainer-feedback? (ports-secteam)
Version: Latest   
Hardware: Any   
OS: Any   
See Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=228550
Attachments:
Description Flags
ETCSYMLINK fix
none
revisited patch
none
revisited patch, corrected franco: maintainer-approval?

Description Franco Fichtner 2022-03-24 08:50:51 UTC 
Since this cert.pem like /etc/ssl/cert.pem is used by services it must be adjustable like it previously was for @sample use.  Now the file is registered by the package and ends up being rewritten on upgrades.  ETCSYMLINK helps to edit contents of /etc/ssl/cert.pem still, but for ${PREFIX}/etc/ssl/cert.pem this is no longer possible.

From the change in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=228550 I can't really agree on the whole assumption made for ETCSYMLINK option turned off in this regard.
Comment 1 Sergey Osipov 2022-04-22 08:38:52 UTC 
It is important for me too. Could you change this back?

-	${LN} -sf ../../${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/etc/ssl/cert.pem.sample
+	${LN} -sf ../../${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/etc/ssl/cert.pem
Comment 2 Franco Fichtner 2022-04-22 09:21:19 UTC 
Created attachment 233392 [details]
ETCSYMLINK fix

Here is a patch that fixes the use case of ETCSYMLINK=off while trying to emulate what the original commit did.  I'm not sure about others CC'ed to this thread, but since there is no official statement I'm sharing this as a base for discussion.


Cheers,
Franco
Comment 3 Franco Fichtner 2022-04-22 09:22:57 UTC 
(there may be an error in the link structure but as I said I'm not a user of ETCSYMLINK and I did not break it)
Comment 4 Sergey Osipov 2022-04-22 13:01:49 UTC 
(In reply to Franco Fichtner from comment #2)
Thank you for your effort. It will solve my problem.
Comment 5 Franco Fichtner 2022-04-26 08:46:03 UTC 
Created attachment 233493 [details]
revisited patch

Had some time today to test and this one seems to do it.
Comment 6 Franco Fichtner 2022-04-26 08:49:14 UTC 
Created attachment 233494 [details]
revisited patch, corrected

oops, uploaded partial patch
Comment 7 commit-hook freebsd_committer freebsd_triage 2022-05-28 13:59:34 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=ccb9f933491611faff4958a14b0f03ae64e374bb

commit ccb9f933491611faff4958a14b0f03ae64e374bb
Author:     Jochen Neumeister <joneum@FreeBSD.org>
AuthorDate: 2022-05-28 13:56:16 +0000
Commit:     Jochen Neumeister <joneum@FreeBSD.org>
CommitDate: 2022-05-28 13:59:00 +0000

    security/ca_root_nss: Update to 3.78

    Update to 3.78
    changelog: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/hQUjX_jwbEk

    While here, fix a problem with ETCSYMLINK (1)

    PR:     262755 (1)
    Sponsored by:   Netzkommune GmbH

 security/ca_root_nss/Makefile  | 8 +++++---
 security/ca_root_nss/distinfo  | 6 +++---
 security/ca_root_nss/pkg-plist | 6 ++++--
 3 files changed, 12 insertions(+), 8 deletions(-)