From owner-svn-src-head@freebsd.org Thu Dec 5 15:36:41 2019 Return-Path: Delivered-To: svn-src-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B06271CC66F for ; Thu, 5 Dec 2019 15:36:41 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47TKZd44W6z4Ktj for ; Thu, 5 Dec 2019 15:36:41 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from mail-qv1-f53.google.com (mail-qv1-f53.google.com [209.85.219.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) (Authenticated sender: kevans) by smtp.freebsd.org (Postfix) with ESMTPSA id 6306C136D5 for ; Thu, 5 Dec 2019 15:36:41 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: by mail-qv1-f53.google.com with SMTP id t7so1430770qve.4 for ; Thu, 05 Dec 2019 07:36:41 -0800 (PST) X-Gm-Message-State: APjAAAVYhAwMQf1HU9Pmz+KT/O8v3O01AnhHTJH3YX8shQ0i7W7db39d mkyz01EDYa3inla4ZLNUdVlpc/dx46ZBebsZtNM= X-Received: by 2002:ad4:474b:: with SMTP id c11mt7789995qvx.181.1575560200906; Thu, 05 Dec 2019 07:36:40 -0800 (PST) MIME-Version: 1.0 References: <201912051532.xB5FWX2U055706@repo.freebsd.org> In-Reply-To: <201912051532.xB5FWX2U055706@repo.freebsd.org> From: Kyle Evans Date: Thu, 5 Dec 2019 09:36:29 -0600 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: svn commit: r355423 - head Cc: src-committers , svn-src-all , svn-src-head , ports-secteam@freebsd.org, Jan Beich Content-Type: text/plain; charset="UTF-8" X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Dec 2019 15:36:41 -0000 On Thu, Dec 5, 2019 at 9:32 AM Kyle Evans wrote: > > Author: kevans > Date: Thu Dec 5 15:32:33 2019 > New Revision: 355423 > URL: https://svnweb.freebsd.org/changeset/base/355423 > > Log: > UPDATING: Add long-belated note about certs in base > > While the interaction between this and the ETCSYMLINK option of > security/ca_root_nss isn't necessarily fatal, one should be aware and > attempt to understand the ramifications of mixing the two. > > ports-secteam will be contacted to discuss the default option for branches > where certs are being included in base. > > Modified: > head/UPDATING > > Modified: head/UPDATING > ============================================================================== > --- head/UPDATING Thu Dec 5 15:21:13 2019 (r355422) > +++ head/UPDATING Thu Dec 5 15:32:33 2019 (r355423) > @@ -26,6 +26,16 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 13.x IS SLOW: > disable the most expensive debugging functionality run > "ln -s 'abort:false,junk:false' /etc/malloc.conf".) > > +20191205: > + The root certificates of the Mozilla CA Certificate Store have been > + imported into the base system and can be managed with the certctl(8) > + utility. If you have installed the security/ca_root_nss port or package > + with the ETCSYMLINK option (the default), be advised that there may be > + differences between those included in the port and those included in > + base due to differences in nss branch used as well as general update > + frequency. Note also that certctl(8) cannot manage certs in the > + format used by the security/ca_root_nss port. > + > 20191120: > The amd(8) automount daemon has been disabled by default, and will be > removed in the future. As of FreeBSD 10.1 the autofs(5) is available CC'ing ports-secteam@ and jbeich@- I think it would make sense and be A Good Thing(TM?) to go ahead and flip the default of ETCSYMLINK to "off" for -CURRENT/13.0 now that certs should be effectively managed in base and updated with etcupdate/mergemaster. Thoughts? Thanks, Kyle Evans