Bug 281579 - mail/rspamd: Is it possible to remove security/ca_root_nss from RUN_DEPENDS?
Summary: mail/rspamd: Is it possible to remove security/ca_root_nss from RUN_DEPENDS?
Status: Closed Works As Intended
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Vsevolod Stakhov
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-09-18 23:17 UTC by Yasuhiro Kimura
Modified: 2024-10-13 17:20 UTC (History)
4 users (show)

See Also:
yasu: maintainer-feedback? (vsevolod)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Yasuhiro Kimura freebsd_committer freebsd_triage 2024-09-18 23:17:17 UTC
In mail/rspamd/Makefile security/ca_root_nss is sepcified as RUN_DEPENDS. According to commit log it was added with following commit.

----------------------------------------------------------------------
commit 28ef9363638f
Author:     Vsevolod Stakhov <vsevolod@FreeBSD.org>
AuthorDate: Wed Mar 21 18:22:06 2018 +0000
Commit:     Vsevolod Stakhov <vsevolod@FreeBSD.org>
CommitDate: Wed Mar 21 18:22:06 2018 +0000

    Update rspamd port to 1.7.1
    
    - fix plist (install config files using @sample, was broken in patch from PR 226646)
    - build only one neural net module: fann or torch
    - rspamd has https client - add ca_root_nss dependency
    
    PR:             226802
    Submitted by:   Anton Yuzhaninov <citrin+pr at citrin.ru>
----------------------------------------------------------------------

IIRC base system of FreeBSD didn't yet include CA certificates at that time. So adding security/ca_root_nss as RUN_DEPENDS was reasonable. But now base system of all supported FreeBSD versions includes CA certificates. Then is it possible to remove security/ca_root_nss from RUN_DEPENDS?
Comment 1 Fernando Apesteguía freebsd_committer freebsd_triage 2024-09-30 17:31:33 UTC
(In reply to Yasuhiro Kimura from comment #0)
I think we should keep it.
security/ca_root_nss is likely to be updated more often than the base ca_root_nss.

What do you think?
Comment 2 Vsevolod Stakhov freebsd_committer freebsd_triage 2024-09-30 17:33:49 UTC
If we have that in the base system we can probably live with the base system version and remove this RUN_DEPENDS. However, I don't have a strong opinion on that.
Comment 3 Fernando Apesteguía freebsd_committer freebsd_triage 2024-10-03 16:27:36 UTC
(In reply to Vsevolod Stakhov from comment #2)
My concern is that the port is updated more often and I'm not sure how often we import the mozilla certs in base.
Right now, in my updated 14.1 system, ca-root-nss from base and from ports differ:

/usr/share/certs/trusted$ diff <(grep -h Issuer * | sort) <(grep -h Issuer /usr/local/share/certs/ca-root-nss.crt | sort)
16,17d15
<         Issuer: C = CN, O = "TrustAsia Technologies, Inc.", CN = TrustAsia Global Root CA G3
<         Issuer: C = CN, O = "TrustAsia Technologies, Inc.", CN = TrustAsia Global Root CA G4
29,30d26
<         Issuer: C = DE, O = Deutsche Telekom Security GmbH, CN = Telekom Security TLS ECC Root 2020
<         Issuer: C = DE, O = Deutsche Telekom Security GmbH, CN = Telekom Security TLS RSA Root 2023
33a30
>         Issuer: C = ES, CN = Autoridad de Certificacion Firmaprofesional CIF A62634068
61a59
>         Issuer: C = JP, O = SECOM Trust.net, OU = Security Communication RootCA1
97,100d94
<         Issuer: C = US, O = CommScope, CN = CommScope Public Trust ECC Root-01
<         Issuer: C = US, O = CommScope, CN = CommScope Public Trust ECC Root-02
<         Issuer: C = US, O = CommScope, CN = CommScope Public Trust RSA Root-01
<         Issuer: C = US, O = CommScope, CN = CommScope Public Trust RSA Root-02
Comment 4 Fernando Apesteguía freebsd_committer freebsd_triage 2024-10-10 17:25:53 UTC
Hi there,

I rather not have this PR lingering around :-)

If there is not opposition, I think we should keep the dependency. The port is updated often and mail/rspamd would benefit from that, IMO.