From nobody Wed Sep 20 13:13:00 2023 X-Original-To: ports@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RrJr13MQrz4tfLn for ; Wed, 20 Sep 2023 13:13:21 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from host64.shmhost.net (host64.shmhost.net [213.239.241.7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4RrJr05Qf8z3QJF; Wed, 20 Sep 2023 13:13:20 +0000 (UTC) (envelope-from franco@lastsummer.de) Authentication-Results: mx1.freebsd.org; none Received: from smtpclient.apple (p200300cd872302f8c8d30d69ff3b0909.dip0.t-ipconnect.de [IPv6:2003:cd:8723:2f8:c8d3:d69:ff3b:909]) by host64.shmhost.net (Postfix) with ESMTPSA id 4RrJqq4t6dzP3gl; Wed, 20 Sep 2023 15:13:11 +0200 (CEST) Content-Type: text/plain; charset=us-ascii List-Id: Porting software to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-ports List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports@freebsd.org X-BeenThere: freebsd-ports@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\)) Subject: Re: security/ca_root_nss: Remove duplicate PLIST entry From: Franco Fichtner In-Reply-To: <18ab24f3cb3.c5c013fe911770.6822211215277654124@FreeBSD.org> Date: Wed, 20 Sep 2023 15:13:00 +0200 Cc: ports Content-Transfer-Encoding: quoted-printable Message-Id: References: <44a681dd-71cf-4946-bcdc-4928aeb02fd5@FreeBSD.org> <3C85B95F-A41E-4859-9D27-61D414AFC833@lastsummer.de> <18ab24f3cb3.c5c013fe911770.6822211215277654124@FreeBSD.org> To: Bernhard Froehlich X-Mailer: Apple Mail (2.3731.600.7) X-Virus-Scanned: clamav-milter 0.103.10 at host64.shmhost.net X-Virus-Status: Clean X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:24940, ipnet:213.239.192.0/18, country:DE] X-Rspamd-Queue-Id: 4RrJr05Qf8z3QJF Hi, > On 20. Sep 2023, at 1:17 PM, Bernhard Froehlich = wrote: >=20 > Before anyone is going to revert this I'd like to add that it seems to = fix a > bug with Custom Root CA for me. Thanks, would have been nice to have this on record. > Up to now whenever I have a box with an additional Private Root CA in > /usr/local/share/certs/ and run "certctl rehash" some tools like fetch > work properly up to the point when ca_root_nss is installed. >=20 > Removing ca_root_nss also made it work properly: > pkg remove -f ca_root_nss I think that's mainly because ETCSYMLINK is enabled by default in the port. Without it there's no issue. Maybe for all releases bundling CA's it could be turned off by default now? The main problem is that ca_root_nss caters a bundle for 3 separate locations used by different services and now makes two of them = adjustable and the last one a fixed link with ETCSYMLINK and having multiple = upstream projects use any of these locations with differing resulting bundles in the worst case is not ideal. So really the samples belong to ETCSYMLINK turned off and the links belong to ETCSYMLINK turned on. The patch just tries to break the ambiguity with the wrong conclusion. They are the same but they are separate use cases. There is no proper override strategy in the port that comes from a single location an propagates over to the target locations. Granted I'm not using ETCSYMLINK because I need /etc/ssl/cert.pem to be a collection of upstream and manual CA's anyway. At the moment the motivation is not to drop the consistency that ETCSYMLINK offers for this discussion. Cheers, Franco=