[Bug 217691] net/chrony: add nss option + other cleanups

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sat Mar 11 01:32:57 UTC 2017 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=217691

            Bug ID: 217691
           Summary: net/chrony: add nss option + other cleanups
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: Individual Port(s)
          Assignee: freebsd-ports-bugs at FreeBSD.org
          Reporter: z7dr6ut7gs at snkmail.com
                CC: yonas at fizk.net
                CC: yonas at fizk.net
             Flags: maintainer-feedback?(yonas at fizk.net)

Created attachment 180709
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=180709&action=edit
[patch] NSS option + other cleanup

The attached patch adds an NSS option and some other cleanup.

portlint - ok
stage-qa - ok
testport - ok (10/stable)

Add NSS option:

Before this patch, if nss is installed when chrony is built, there's a silent
lib dependency on nss, and if nss is subsequently uninstalled chrony breaks due
to a now missing library.

I decided to turn it on by default:

   - it adds support for a number of more modern hashing algorithms (instead of
only the default and less secure md5)

   - if NSS option is turned off, explicitly disable via configure option

   - nss is well maintained

   - I see the case for having NSS off by default.  Many users of chrony just
want the basic features, and don't need the extra security.  Turning NSS off by
default reduces dependency proliferation that is not necessary for many users. 
So feel free to remove 'OPTIONS_DEFAULT=NSS' before committing this patch.

   - Override default NSS_DESC since it's generic text is not very helpful for
chrony's usage.  The updated description is more specific regarding chrony's
use of NSS.


Other cleanup:

 - --infodir is not a valid configure option (since 2.3 I think)
 - USES=localbase instead of LDFLAGS
 - add explicit --without-tomcrypt [1]
 - add support for passing chronyd_flags to chronyd in rc.d script
 - fix some hard-coded /usr/local in examples

[1] We could add a TOMCRYPT option which adds even more hashing algorithms. 
But libtomcrypt does not have wide exposure.  There's some upstream security
updates (also backported to debian's package) that have been around for years
that were never added to freebsd's port.  The added benefit of some extra less
common hashing algorithms didn't seem worth adding an option.  If we do add an
option in the future, I believe it should be off by default in preference to
nss.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-ports-bugs mailing list