+portmgr
On 7/2/2014 6:45 PM, Xin Li wrote:
> Hi,
>
> Currently, FreeBSD does not install a default /etc/ssl/cert.pem
> because we do not maintain one ourselves. We do, however, provide a
> port, security/ca_root_nss, which have an option to install a symbolic
> link as /etc/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt,
> which is not the default option.
>
> This become a problem when applications, e.g. fetch(8), have grown the
> support of doing certificate validation. I think now it makes sense
> to have a default cert.pem installed with the base system.
>
> So my proposal would be:
>
> 1. Import a set of trusted root certificates, and install if
> MK_OPENSSL is yes, to /usr/share/misc/ca-root-freebsd.pem;
>
> 2. In src/etc/Makefile, automatically create a symbolic link if it's
> not already present in ${DESTDIR}/etc/ssl;
>
> 3. Teach mergemaster(8) and other similar applications to create the
> symbolic link on demand;
>
> 4. Change the install/deinstall behavior of security/ca_root_nss:
> ETCSYMLINK checked: If /etc/ssl/cert.pem exists, back it up on
> install then overwrite with new symlink, and restore on deinstall.
> ETCSYMLINK unchecked: If /etc/ssl/cert.pem do not pre-exist,
> install new a symlink; on deinstall, if
> /usr/share/misc/ca-root-freebsd.pem exists, replace the symlink with a
> symlink to there, or remove if the file does not exist.
>
> Comments/objections?
>
> Cheers,Please see r266291. libfetch will now look in /usr/local/etc/ssl/ before /etc/ssl. The next step was to have the port always install the symlink there. It's fallen through the cracks though. This only allows fixing applications that use libfetch though and not other applications that expect a /etc/ssl/cert.pem like curl. I have no qualms about making security/ca_root_nss *always* install a symlink into /usr/local/etc/ssl, but touching base system is not usually proper for a port. There is this vague idea floating around that for package building, ports should never touch the base system (except /var/db or /var/games or /etc/*passwd*) and / should otherwise be read-only. This has not become a reality or had much discussion yet, though we do frown on overwriting base and touching base already. For example, the perl symlink in /usr/bin is phased out. I like the idea of the base system installing a symlink from /etc/ssl/cert.pem to *somewhere*. I like the idea of secteam maintaining a ca-root-freebsd.pem even better, as long as you are willing to. IMHO always install it, don't depend on MK_OPENSSL. Is the file actually specific to OpenSSL? Ports would love to have it be available all the time regardless of SSL library choices. -- Regards, Bryan Drewery
signature.asc
Description: OpenPGP digital signature
