Bug 228550 - security/ca_root_nss pkg-message claims to use symlinks but mostly doesn't
Summary: security/ca_root_nss pkg-message claims to use symlinks but mostly doesn't
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Ports Security Team
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-05-27 18:37 UTC by Jeremy Chadwick
Modified: 2019-08-16 03:03 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (ports-secteam)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Chadwick 2018-05-27 18:37:34 UTC
ca_root_nss's pkg-message claims the following:

===
This package installs symlinks to support root certificates discovery by
default for software that uses OpenSSL.

This enables SSL Certificate Verification by client software without manual
intervention.

If you prefer to do this manually, replace the following symlinks with
either an empty file or your site-local certificate bundle.

  * /etc/ssl/cert.pem
  * /usr/local/etc/ssl/cert.pem
  * /usr/local/openssl/cert.pem
===

This appears to be mostly false: only one of those files is a symlink, the others are actual data (and not hardlinked either, all different inodes).  Proof:

$ ls -li /etc/ssl/cert.pem /usr/local/etc/ssl/cert.pem /usr/local/openssl/cert.pem
 1926146 lrwxr-xr-x    1 root      wheel         38 May 25 18:12 /etc/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt
15168803 -rw-r--r--    1 root      wheel     789991 May 25 18:12 /usr/local/etc/ssl/cert.pem
15168805 -rw-r--r--    1 root      wheel     789991 May 25 18:12 /usr/local/openssl/cert.pem

And let's check out /usr/local/share/certs/ca-root-nss.crt for completion:

$ ls -li /usr/local/share/certs/ca-root-nss.crt
15168667 -rw-r--r--    1 root      wheel     789991 May 25 18:12 /usr/local/share/certs/ca-root-nss.crt

And the md5s of all the literal files:

$ md5 /usr/local/etc/ssl/cert.pem /usr/local/openssl/cert.pem /usr/local/share/certs/ca-root-nss.crt
MD5 (/usr/local/etc/ssl/cert.pem) = 2e98964306c1868bcabf06364514f216
MD5 (/usr/local/openssl/cert.pem) = 2e98964306c1868bcabf06364514f216
MD5 (/usr/local/share/certs/ca-root-nss.crt) = 2e98964306c1868bcabf06364514f216

So: three (3) physical copies of the same file, and one symlink to one of those copies.  Let's look further:

$ pkg info -l ca_root_nss
ca_root_nss-3.37.1:
        /etc/ssl/cert.pem
        /usr/local/etc/ssl/cert.pem.sample
        /usr/local/openssl/cert.pem.sample
        /usr/local/share/certs/ca-root-nss.crt
        /usr/local/share/licenses/ca_root_nss-3.37.1/LICENSE
        /usr/local/share/licenses/ca_root_nss-3.37.1/MPL20
        /usr/local/share/licenses/ca_root_nss-3.37.1/catalog.mk

$ ls -l /usr/local/etc/ssl/cert.pem.sample /usr/local/openssl/cert.pem.sample
lrwxr-xr-x    1 root      wheel     38 May 25 18:12 /usr/local/etc/ssl/cert.pem.sample -> /usr/local/share/certs/ca-root-nss.crt
lrwxr-xr-x    1 root      wheel     38 May 25 18:12 /usr/local/openssl/cert.pem.sample -> /usr/local/share/certs/ca-root-nss.crt

The .sample files are symlinks, but the non-.sample files aren't (sorry for the double negative).

Thus: either the message is wrong/incorrect, or something changed between when the message was written and present that removed use of symlinks and instead uses literal copies.

I reviewed the Makefile, target do-install, and all I see being done symlink-wise is for .sample files.  I'm not even sure what's generating the non-.sample files...
Comment 1 Jochen Neumeister freebsd_committer 2019-02-15 18:26:39 UTC
what is the current status?
Does ports-secteam have to be active here?
Comment 2 Walter Schwarzenfeld freebsd_triage 2019-08-16 03:03:16 UTC
ping!