256923 – textproc/py-sphinx: Remove or make OPTION'al dependency on security/ca_root_nss dependency

Bug 256923 - textproc/py-sphinx: Remove or make OPTION'al dependency on security/ca_root_nss dependency

Summary: textproc/py-sphinx: Remove or make OPTION'al dependency on security/ca_root_n...

Status:	Open

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	freebsd-python (Nobody)

URL:
Keywords:	needs-qa

Depends on:
Blocks:

Reported:	2021-07-01 16:07 UTC by Michael Osipov
Modified:	2023-08-18 14:11 UTC (History)
CC List:	5 users (show)

See Also:	256902

Flags:	koobs: maintainer-feedback? (python)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Osipov 2021-07-01 16:07:40 UTC

Depending on this port has a few issues:

* It is not clear why a documentation generation system depends on this port
* It pulls in the entire tree for Perl
* FreeBSD now has certctl(8) managed trust store which makes ca_root_nss obsolete
* Pulling it causes this issue: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256902

Consider removing this port or make it configurable because cert management is a admin's task and not a port one's.

Comment 1 Kubilay Kocak freebsd_committer

2021-07-02 03:05:51 UTC

Investigate:

 - Nature of requirement for ca_root_nss. Possible workaround?
 - UX considerations for OPTIONAL ca_root_nss (in particular, disabled case)
 - Alternative root cause resolutions

Note; while cert management isn't a ports domain, the default and out of box experience with respect to validation of remote servers is. There's an entire history of bug and user reports going back a long way [1][2] (among others), and we still don't cover all the bases.

[1] https://svnweb.freebsd.org/ports?view=revision&revision=388657
[2] https://svnweb.freebsd.org/ports?view=revision&revision=378720

Comment 2 Michael Osipov 2021-07-02 06:23:29 UTC

(In reply to Kubilay Kocak from comment #1)

While I understand the out of the box exprience, but since certctl(8) is there, there is very little need for ca_root_nss or I simply don't understand why it is still required. I expect every OpenSSL aware application to set default verification paths unless it is overridden by some means.

I did a test run for our base ports with and without ca_root_nss on sphinx. I am from 120 packages down to 60 just because perl is out of the game.

Comment 3 Danilo G. Baio freebsd_committer

2021-07-08 01:32:30 UTC

(In reply to Michael Osipov from comment #0)

That was added in bug 212049.
Sphinx can pull some external bits.

Just for the record, when Sphinx can't fetch something, sometimes it does not break the build, but the doc output is changed/incomplete.

I'm not saying we can't remove it, but we need to test it carefully.

Comment 4 Michael Osipov 2021-07-08 06:59:38 UTC

(In reply to Danilo G. Baio from comment #3)

By reading the issue you mentioned, this boils down to the same problem I have discussed with Kubilay over and over again, Python and/or urllib3 simply don't use the default location for the system cert store. See
* Bug 230414
* https://github.com/tiran/certifi-system-store/issues/3
* https://github.com/psf/requests/issues/2966