Bug 241516 - Enable certificate verification for 'make makesum'
Summary: Enable certificate verification for 'make makesum'
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Ports Framework (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Port Management Team
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-10-27 07:23 UTC by Ting-Wei Lan
Modified: 2019-11-30 14:21 UTC (History)
1 user (show)

See Also:


Attachments
Patch (380 bytes, patch)
2019-10-27 07:23 UTC, Ting-Wei Lan
no flags Details | Diff
Patch (v2) (511 bytes, patch)
2019-11-30 14:21 UTC, Ting-Wei Lan
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ting-Wei Lan 2019-10-27 07:23:41 UTC
Created attachment 208625 [details]
Patch

Currently Mk/bsd.port.mk includes this section of code:

.if !make(makesum)
FETCH_ENV?=             SSL_NO_VERIFY_PEER=1 SSL_NO_VERIFY_HOSTNAME=1
.endif

When FETCH_ENV isn't defined, certificate verification is disabled when the target isn't makesum. However, it doesn't work as intended. 'make makesum' calls 'make fetch' internally, and 'make fetch' disables certificate verification because the target isn't makesum. Therefore, certificate verification is in fact always disabled unless the users define FETCH_ENV themselves.

To fix the problem, define FETCH_ENV when makesum is used and export it for sub-make to find it.
Comment 1 Mathieu Arnold freebsd_committer 2019-10-31 12:26:40 UTC
Using .export is probably wrong, FETCH_ENV should be passed around when it is used/needed.
Comment 2 Ting-Wei Lan 2019-11-30 14:21:22 UTC
Created attachment 209557 [details]
Patch (v2)

Pass FETCH_ENV via make command line instead of environment variable.