Bug 237986 - lang/go should RUN_DEPENDS on ca_root_nss to reliably fetch imports
Summary: lang/go should RUN_DEPENDS on ca_root_nss to reliably fetch imports
Status: Closed Works As Intended
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Julien Laffaye
Depends on:
Reported: 2019-05-19 21:08 UTC by hartzell
Modified: 2019-09-16 21:13 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (jlaffaye)


Note You need to log in before you can comment on or make changes to this bug.
Description hartzell 2019-05-19 21:08:57 UTC
Attempting to build go programs that import packages hosted by golang.org fails unless ca_root_nss is installed.


go: golang.org/x/sync@v0.0.0-20190423024810-112230192c58: unrecognized import path "golang.org/x/sync" (https fetch: Get https://golang.org/x/sync?go-get=1: x509: certificate signed by unknown authority)

Presumably other sites that use unrecognized certs will also fail.

I tripped over this when building in synth, which sets up clean environments.
Comment 1 Dmitri Goutnik freebsd_committer 2019-05-22 22:27:59 UTC
(In reply to hartzell from comment #0)

Network access is not allowed during build, so missing ca_root_nss shouldn't prevent building of any correctly written port. And even lang/go would have a dependency on security/ca_root_nss, the next step for go will be to fetch sources using git (or hg/svn/bzr, depending on the repo) which would be missing too.
Comment 2 hartzell 2019-05-22 22:52:41 UTC
> Network access is not allowed during the build, [...]

I wasn't clear, this is not a poudriere build, but as regular user of the go package, once it's been installed.

Your next point makes sense, the go port should no more have a dependency on the `security/ca_root_nss` that it should on the other bits involved in the `go build` step (or `go mod download`).

It's up the end user to install them separately if they're desired.

That makes sense.

I believe that this can be closed.  Should I do it or should "someone else"?