Bug 258631 - dns/opendnssec2: Update to 2.1.10
Summary: dns/opendnssec2: Update to 2.1.10
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Yasuhiro Kimura
URL: https://www.opendnssec.org/2021/09/op...
Keywords:
Depends on:
Blocks:
 
Reported: 2021-09-20 13:07 UTC by Jaap Akkerhuis
Modified: 2021-10-18 07:20 UTC (History)
2 users (show)

See Also:


Attachments
Patch to upgrade (894 bytes, patch)
2021-09-20 13:07 UTC, Jaap Akkerhuis
jaap: maintainer-approval+
Details | Diff
Patch to upgrade (2.17 KB, patch)
2021-10-13 10:59 UTC, Jaap Akkerhuis
jaap: maintainer-approval+
Details | Diff
Patch to upgrade (2.58 KB, patch)
2021-10-14 10:18 UTC, Jaap Akkerhuis
jaap: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jaap Akkerhuis 2021-09-20 13:07:35 UTC
Created attachment 228052 [details]
Patch to upgrade

This release addresses an automatic re-salting after a migration from 1.4
and an error manifesting as a key_data_update failure in the logs where
a retired key wasn’t removed from the signer configuration in time in
certain circumstances.
Also an RPM is now provided for RHEL/CentOS distros at the same download
location.

Issues

 * OPENDNSSEC-955: Prevent concurrency between certain valid PKCS#11 HSM operations to avoid some keys to be (transiently) unavailable.

 * OPENDNSSEC-956: Harden signing procedure to still sign zones for which there are unused keys specified in the zone which are unavailable.
 * OPENDNSSEC-957: Fix exit code signer daemon to not always report failure.

 * OPENDNSSEC-958: Fix immediate resalting after migration from 1.4.

 * OPENDNSSEC-959: Emit warning on ods-kaspcheck for NSEC iteration count that is deemed too high.

 * SUPPORT-265: Resolve conflict when deleting keys from HSM whilst also performing step in key roll process. Typically a message “key_data_update failed” is present in logs.

Provided RedHat/CentOS spec file in contrib directory.
Comment 1 Nuno Teixeira freebsd_committer freebsd_triage 2021-09-21 11:30:49 UTC
Hello,

Portclippy seems that some variables need to be better sorted and organized in their sections. Portfmt could give some adjustments as well. Could you try this tools?
Comment 2 Jaap Akkerhuis 2021-09-21 13:48:08 UTC
(In reply to Nuno Teixeira from comment #1)
I've always used portlint and that doesn't seems to have any problems but feel free to make adjustments as you seem fit. Meanwhile, I'll take a look at portfmt.
Comment 3 Daniel Engberg freebsd_committer freebsd_triage 2021-09-21 16:02:31 UTC
All URLs to opendnssec.org also redirects to https
Comment 4 Nuno Teixeira freebsd_committer freebsd_triage 2021-09-22 08:28:43 UTC
(In reply to Jaap Akkerhuis from comment #2)
Remember that portlint, portclippy and portfmt are tools that we do not have to follow blindly like any other tool.

1. portlint: OK

2. portclippy Makefile:
---
# PORTNAME block
PORTNAME
DISTVERSION
CATEGORIES
MASTER_SITES
PKGNAMESUFFIX

# Maintainer block
MAINTAINER
COMMENT

# License block
LICENSE
LICENSE_FILE

# Dependencies
BUILD_DEPENDS
LIB_DEPENDS

# USES block
USES
USE_RC_SUBR

# Configure block
GNU_CONFIGURE
CONFIGURE_ARGS

# Make block
+INSTALL_TARGET
-SUB_FILES

# Conflicts
CONFLICTS

# Standard bsd.port.mk variables
+SUB_FILES

# Users and groups block
USERS
GROUPS

# Options definitions
OPTIONS_DEFINE
OPTIONS_DEFAULT
-OPTIONS_SUB
OPTIONS_SINGLE
OPTIONS_SINGLE_DB
+OPTIONS_SUB

# Options descriptions
+MYSQL_DESC
SOFTHSM_DESC
-MYSQL_DESC
SQLITE_DESC

# Options helpers
+MYSQL_USES
MYSQL_CONFIGURE_ON
+SOFTHSM_RUN_DEPENDS
+SOFTHSM_CONFIGURE_ON
+SQLITE_BUILD_DEPENDS
-MYSQL_USES
SQLITE_USES
SQLITE_CONFIGURE_ON
-SQLITE_BUILD_DEPENDS
-SOFTHSM_CONFIGURE_ON
-SOFTHSM_RUN_DEPENDS

-INSTALL_TARGET
---
Seems fine to me this changes

3. portfmt -D Makefile:
---
--- Makefile
+++ Makefile
@@ -31,23 +31,22 @@
 GROUPS=		opendnssec
 
 PORTDOCS=	MIGRATION NEWS README.md
-MIGRATE=	README.md find_problematic_zones.sql \
-		convert_mysql mysql_convert.sql \
-		convert_sqlite sqlite_convert.sql
+MIGRATE=	README.md find_problematic_zones.sql convert_mysql \
+		mysql_convert.sql convert_sqlite sqlite_convert.sql
 CONVERT=	convert_mysql_to_sqlite convert_sqlite_to_mysql
 SCHEMAS=	schema.mysql schema.sqlite
 
-OPTIONS_DEFINE=		SOFTHSM DOCS
+OPTIONS_DEFINE=		DOCS SOFTHSM
 OPTIONS_DEFAULT=	SQLITE
 OPTIONS_SUB=		yes
 
 OPTIONS_SINGLE=		DB
-OPTIONS_SINGLE_DB=	SQLITE MYSQL
+OPTIONS_SINGLE_DB=	MYSQL SQLITE
 
-SOFTHSM_DESC=		SoftHSM cryptographic store for PKCS \#11 interface
+SOFTHSM_DESC=	SoftHSM cryptographic store for PKCS \#11 interface
 
-MYSQL_DESC=		Use MYSQL backend
-SQLITE_DESC=		Use SQLite backend
+MYSQL_DESC=	Use MYSQL backend
+SQLITE_DESC=	Use SQLite backend
 
 MYSQL_CONFIGURE_ON=	--with-enforcer-database=mysql
 MYSQL_USES=		mysql
@@ -59,7 +58,7 @@
 SOFTHSM_CONFIGURE_ON=	--with-pkcs11-softhsm=${LOCALBASE}/lib/softhsm/libsofthsm2.so
 SOFTHSM_RUN_DEPENDS=	softhsm2>=2.5.0:security/softhsm2
 
-INSTALL_TARGET=		install-strip
+INSTALL_TARGET=	install-strip
 
 pre-build:
 	${REINPLACE_CMD} -e "s|\(-lcrypto\)|-L${OPENSSLLIB} \1|g" \
---
- MIGRATE part is ok with better look at 72 columns
- OPTIONS_DEFINE is ok with alphabetical order
- OPTIONS_SINGLE_DB is ok with alphabetical order
- TABS are optional

portfmt is a bit tricky and I always be carefull with this tool.

Cheers
Comment 5 Jaap Akkerhuis 2021-10-13 10:59:07 UTC
Created attachment 228658 [details]
Patch to upgrade

This new version of the patch has a Makefile that satisfies portfmt(1). Can we commit this now?
Comment 6 Nuno Teixeira freebsd_committer freebsd_triage 2021-10-14 07:17:04 UTC
Hello,

IMO,

1. pkg-descr WWW should be https://URL instead of http://URL because actual URL redirects to https:// like Daniel said

2. There is something to order in Makefile:

- move INSTALL_TARGET to Make block
- move SUB_FILES to Standard bsd.port.mk variables
- alpphabetical order in Options definitions, descriptions and helpers

---
# Make block
+INSTALL_TARGET
-SUB_FILES

# Conflicts
CONFLICTS

# Standard bsd.port.mk variables
+SUB_FILES

# Users and groups block
USERS
GROUPS

# Options definitions
OPTIONS_DEFINE
OPTIONS_DEFAULT
-OPTIONS_SUB
OPTIONS_SINGLE
OPTIONS_SINGLE_DB
+OPTIONS_SUB

# Options descriptions
+MYSQL_DESC
SOFTHSM_DESC
-MYSQL_DESC
SQLITE_DESC

# Options helpers
+MYSQL_USES
MYSQL_CONFIGURE_ON
+SOFTHSM_RUN_DEPENDS
+SOFTHSM_CONFIGURE_ON
+SQLITE_BUILD_DEPENDS
-MYSQL_USES
SQLITE_USES
SQLITE_CONFIGURE_ON
-SQLITE_BUILD_DEPENDS
-SOFTHSM_CONFIGURE_ON
-SOFTHSM_RUN_DEPENDS

-INSTALL_TARGET
---

Cheers
Comment 7 Jaap Akkerhuis 2021-10-14 10:18:16 UTC
Created attachment 228692 [details]
Patch to upgrade

Yet another one
Comment 8 Yasuhiro Kimura freebsd_committer freebsd_triage 2021-10-17 13:48:08 UTC
Take.
Comment 9 commit-hook freebsd_committer freebsd_triage 2021-10-18 07:15:29 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=0dc3b20833d713cf01322e60f2b6eb8b4581e8cc

commit 0dc3b20833d713cf01322e60f2b6eb8b4581e8cc
Author:     Jaap Akkerhuis <jaap@NLnetLabs.nl>
AuthorDate: 2021-10-17 13:39:26 +0000
Commit:     Yasuhiro Kimura <yasu@FreeBSD.org>
CommitDate: 2021-10-18 07:13:48 +0000

    dns/opendnssec2: Update to 2.1.10

    * Pet portclippy
    * Reformat Makefile with portfmt

    ReleaseNotes:   https://www.opendnssec.org/2021/09/opendnssec-2-1-10/
    PR:             258631
    Approved by:    ygy (mentor)
    Differential Revision:  https://reviews.freebsd.org/D32536

 dns/opendnssec2/Makefile | 37 ++++++++++++++++---------------------
 dns/opendnssec2/distinfo |  6 +++---
 2 files changed, 19 insertions(+), 24 deletions(-)
Comment 10 Yasuhiro Kimura freebsd_committer freebsd_triage 2021-10-18 07:20:39 UTC
Committed. Thanks!