Bug 241516 - Mk/bsd.port.mk: Fix certificate verification for 'make makesum'
Summary: Mk/bsd.port.mk: Fix certificate verification for 'make makesum'
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Ports Framework (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Port Management Team
URL:
Keywords: regression, security
Depends on:
Blocks:
 
Reported: 2019-10-27 07:23 UTC by Ting-Wei Lan
Modified: 2024-02-12 12:57 UTC (History)
8 users (show)

See Also:
koobs: maintainer-feedback? (ports-secteam)
philip: maintainer-feedback+
koobs: merge-quarterly?

Attachments
Patch (380 bytes, patch)
2019-10-27 07:23 UTC, Ting-Wei Lan 		no flags Details | Diff
Patch (v2) (511 bytes, patch)
2019-11-30 14:21 UTC, Ting-Wei Lan 		no flags Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ting-Wei Lan 2019-10-27 07:23:41 UTC 
Created attachment 208625 [details]
Patch

Currently Mk/bsd.port.mk includes this section of code:

.if !make(makesum)
FETCH_ENV?=             SSL_NO_VERIFY_PEER=1 SSL_NO_VERIFY_HOSTNAME=1
.endif

When FETCH_ENV isn't defined, certificate verification is disabled when the target isn't makesum. However, it doesn't work as intended. 'make makesum' calls 'make fetch' internally, and 'make fetch' disables certificate verification because the target isn't makesum. Therefore, certificate verification is in fact always disabled unless the users define FETCH_ENV themselves.

To fix the problem, define FETCH_ENV when makesum is used and export it for sub-make to find it.
Comment 1 Mathieu Arnold freebsd_committer freebsd_triage 2019-10-31 12:26:40 UTC 
Using .export is probably wrong, FETCH_ENV should be passed around when it is used/needed.
Comment 2 Ting-Wei Lan 2019-11-30 14:21:22 UTC 
Created attachment 209557 [details]
Patch (v2)

Pass FETCH_ENV via make command line instead of environment variable.
Comment 3 Ting-Wei Lan 2020-08-08 14:10:25 UTC 
Ping! This patch fixes a regression introduced in ports r513191. It is bad for maintainers to download distfiles insecurely for almost one year.
Comment 4 Li-Wen Hsu freebsd_committer freebsd_triage 2021-01-24 17:12:50 UTC 
CC committer of ports r513191
Comment 5 Ting-Wei Lan 2021-07-04 10:41:45 UTC 
Change the title from 'Enable ...' to 'Restore ...' because certificate verification was enabled in older versions of ports. This is a fix for a regression, not a request for a feature.
Comment 6 Jochen Neumeister freebsd_committer freebsd_triage 2024-02-12 12:57:53 UTC 
Is this PR still relevant or can it be closed?