Bug 241516 - Mk/bsd.port.mk: Fix certificate verification for 'make makesum'
Summary: Mk/bsd.port.mk: Fix certificate verification for 'make makesum'
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Ports Framework (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Port Management Team
Keywords: regression, security
Depends on:
Reported: 2019-10-27 07:23 UTC by Ting-Wei Lan
Modified: 2021-07-10 22:07 UTC (History)
7 users (show)

See Also:
koobs: maintainer-feedback? (ports-secteam)
philip: maintainer-feedback+
koobs: merge-quarterly?

Patch (380 bytes, patch)
2019-10-27 07:23 UTC, Ting-Wei Lan
no flags Details | Diff
Patch (v2) (511 bytes, patch)
2019-11-30 14:21 UTC, Ting-Wei Lan
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ting-Wei Lan 2019-10-27 07:23:41 UTC
Created attachment 208625 [details]

Currently Mk/bsd.port.mk includes this section of code:

.if !make(makesum)

When FETCH_ENV isn't defined, certificate verification is disabled when the target isn't makesum. However, it doesn't work as intended. 'make makesum' calls 'make fetch' internally, and 'make fetch' disables certificate verification because the target isn't makesum. Therefore, certificate verification is in fact always disabled unless the users define FETCH_ENV themselves.

To fix the problem, define FETCH_ENV when makesum is used and export it for sub-make to find it.
Comment 1 Mathieu Arnold freebsd_committer 2019-10-31 12:26:40 UTC
Using .export is probably wrong, FETCH_ENV should be passed around when it is used/needed.
Comment 2 Ting-Wei Lan 2019-11-30 14:21:22 UTC
Created attachment 209557 [details]
Patch (v2)

Pass FETCH_ENV via make command line instead of environment variable.
Comment 3 Ting-Wei Lan 2020-08-08 14:10:25 UTC
Ping! This patch fixes a regression introduced in ports r513191. It is bad for maintainers to download distfiles insecurely for almost one year.
Comment 4 Li-Wen Hsu freebsd_committer 2021-01-24 17:12:50 UTC
CC committer of ports r513191
Comment 5 Ting-Wei Lan 2021-07-04 10:41:45 UTC
Change the title from 'Enable ...' to 'Restore ...' because certificate verification was enabled in older versions of ports. This is a fix for a regression, not a request for a feature.