Bug 234421 - sysutils/vagrant: vagrant/files/cacert.pem over five years old
Summary: sysutils/vagrant: vagrant/files/cacert.pem over five years old
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Christoph Moench-Tegeder
Depends on:
Reported: 2018-12-26 17:48 UTC by corvid
Modified: 2019-03-14 23:18 UTC (History)
2 users (show)

See Also:
joe: maintainer-feedback+

vagrant 2.2.4_1 with curl and ca_root_nss dependencies (2.54 KB, patch)
2019-03-11 04:09 UTC, joe
joe: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description corvid 2018-12-26 17:48:48 UTC
The file says "Certificate data from Mozilla as of: Thu Dec  5 09:40:49 2013"
Comment 1 Christoph Moench-Tegeder freebsd_committer 2019-02-28 13:26:04 UTC

The easiest improvement would be a BUILD_DEPENDS on security/ca_root_nss and copy $[PREFIX}/share/certs/ca-root-nss.crt from there - but embedding a certificate which is managed elsewhere is rather clumsy. A much more elegant way would be using the installed certificate from ca_root_nss at runtime - but I haven't really looked into the amount of patching required for that. Any comments?
Comment 2 joe 2019-03-09 20:20:30 UTC

Sorry on the delay.

Yes, that's the best way; it should depend on ca_root_nss and use it at run-time.

Would you be able to make this change?

Comment 3 joe 2019-03-11 04:08:48 UTC
I am attaching a patch that resolves the old certificate inclusion, by depending upon ca_root_nss package. Additionally, a dependency upon curl was missing.

I've bumped the port revision with these changes.

Tested on 12.0-RELEASE and 11.2-RELEASE for basic functionality.

Comment 4 joe 2019-03-11 04:09:50 UTC
Created attachment 202790 [details]
vagrant 2.2.4_1 with curl and ca_root_nss dependencies
Comment 5 Christoph Moench-Tegeder freebsd_committer 2019-03-11 09:01:42 UTC
I'll look into this later this week (curse of the consultant: lots of travel).
Comment 6 commit-hook freebsd_committer 2019-03-14 23:16:07 UTC
A commit references this bug:

Author: cmt
Date: Thu Mar 14 23:15:29 UTC 2019
New revision: 495742
URL: https://svnweb.freebsd.org/changeset/ports/495742

  Use CA certificates from ca_root_nss for TLS validation

  instead of embedding a very old version of that file, and depend
  on ca_root_nss for that.
  Add dependency on curl, which has been missing for a long time.

  PR:		234421
  Submitted by:	joe@thrallingpenguin.com
  Reported by:	corvid@openmailbox.org
  Approved by:	joe@thrallingpenguin.com (maintainer)

Comment 7 Christoph Moench-Tegeder freebsd_committer 2019-03-14 23:18:07 UTC
committed ports r495742 - thanks!