https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=290078
Bug ID: 290078
Summary: Build of security/ca_root_nss results in leftover of
cert files on 16-CURRENT
Product: Base System
Version: 16.0-CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: bin
Assignee: [email protected]
Reporter: [email protected]
CC: [email protected]
Host: 16.0-CURRENT main-n280862-f19aea89abd8 amd64
Poudriere: 3.4.3
Jaile: Same as host
Ports tree: ports 9ab81a2c7468
On above conditions build of security/ca_root_nss results in leftover of cert
files as below
----------------------------------------------------------------------
=>> Checking for extra files and directories
=>> Error: Files or directories left over:
/etc/ssl/certs/2ccbdda3.0
/etc/ssl/certs/9e654b62.0
/etc/ssl/certs/b0d5255e.0
=>> Error: Files or directories modified:
/etc/ssl/cert.pem size (224449, 229231)
build of security/ca_root_nss | ca_root_nss-3.115_3 ended at Wed Oct 8
04:34:45 JST 2025
build time: 00:00:07
!!! build failure encountered !!!
[00:00:10] Error: Build failed in phase: leftovers
[00:00:10] Logs:
/usr/local/poudriere/data/logs/bulk/curamd64-default/2025-10-08_04h34m35s
[00:00:10] Cleaning up
[00:00:10] Unmounting file systems
----------------------------------------------------------------------
On 13.5-RELEASE amd64 and 14.3-RELEASE amd64 leftover doesn't happen.
According to result of bisect, leftover starts with following commit.
----------------------------------------------------------------------
commit c340ef28fd38
Author: Dag-Erling Smørgrav <[email protected]>
AuthorDate: Mon Aug 18 23:26:29 2025
Commit: Dag-Erling Smørgrav <[email protected]>
CommitDate: Mon Aug 18 23:28:29 2025
certctl: Reimplement in C
Notable changes include:
* We no longer forget manually untrusted certificates when rehashing.
* Rehash will now scan the existing directory and progressively replace
its contents with those of the new trust store. The trust store as a
whole is not replaced atomically, but each file within it is.
* We no longer attempt to link to the original files, but we don't copy
them either. Instead, we write each certificate out in its minimal
form.
* We now generate a trust bundle in addition to the hashed diretory.
This also contains only the minimal DER form of each certificate.
This allows e.g. Unbound to preload the bundle before chrooting.
* The C version is approximately two orders of magnitude faster than the
sh version, with rehash taking ~100 ms vs ~5-25 s depending on whether
ca_root_nss is installed.
* We now also have tests.
Reviewed by: kevans, markj
Differential Revision: https://reviews.freebsd.org/D42320
Differential Revision: https://reviews.freebsd.org/D51896
----------------------------------------------------------------------
So it seems something is wrong with C version of certctl.
Cc-ing committer of base c340ef28fd38.
--
You are receiving this mail because:
You are the assignee for the bug.
