From owner-freebsd-ports-bugs@freebsd.org Sat Mar 11 01:32:56 2017 Return-Path: Delivered-To: freebsd-ports-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EF0E7D068FB for ; Sat, 11 Mar 2017 01:32:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D14B61FEC for ; Sat, 11 Mar 2017 01:32:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v2B1Wte2069606 for ; Sat, 11 Mar 2017 01:32:56 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 217691] net/chrony: add nss option + other cleanups Date: Sat, 11 Mar 2017 01:32:55 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: z7dr6ut7gs@snkmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-ports-bugs@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter cc flagtypes.name attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Mar 2017 01:32:57 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217691 Bug ID: 217691 Summary: net/chrony: add nss option + other cleanups Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: Individual Port(s) Assignee: freebsd-ports-bugs@FreeBSD.org Reporter: z7dr6ut7gs@snkmail.com CC: yonas@fizk.net CC: yonas@fizk.net Flags: maintainer-feedback?(yonas@fizk.net) Created attachment 180709 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D180709&action= =3Dedit [patch] NSS option + other cleanup The attached patch adds an NSS option and some other cleanup. portlint - ok stage-qa - ok testport - ok (10/stable) Add NSS option: Before this patch, if nss is installed when chrony is built, there's a sile= nt lib dependency on nss, and if nss is subsequently uninstalled chrony breaks= due to a now missing library. I decided to turn it on by default: - it adds support for a number of more modern hashing algorithms (instea= d of only the default and less secure md5) - if NSS option is turned off, explicitly disable via configure option - nss is well maintained - I see the case for having NSS off by default. Many users of chrony ju= st want the basic features, and don't need the extra security. Turning NSS of= f by default reduces dependency proliferation that is not necessary for many use= rs.=20 So feel free to remove 'OPTIONS_DEFAULT=3DNSS' before committing this patch. - Override default NSS_DESC since it's generic text is not very helpful = for chrony's usage. The updated description is more specific regarding chrony's use of NSS. Other cleanup: - --infodir is not a valid configure option (since 2.3 I think) - USES=3Dlocalbase instead of LDFLAGS - add explicit --without-tomcrypt [1] - add support for passing chronyd_flags to chronyd in rc.d script - fix some hard-coded /usr/local in examples [1] We could add a TOMCRYPT option which adds even more hashing algorithms.= =20 But libtomcrypt does not have wide exposure. There's some upstream security updates (also backported to debian's package) that have been around for yea= rs that were never added to freebsd's port. The added benefit of some extra l= ess common hashing algorithms didn't seem worth adding an option. If we do add= an option in the future, I believe it should be off by default in preference to nss. --=20 You are receiving this mail because: You are the assignee for the bug.=