From owner-svn-src-head@freebsd.org  Thu Dec  5 15:36:41 2019
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id B06271CC66F
 for <svn-src-head@mailman.nyi.freebsd.org>;
 Thu,  5 Dec 2019 15:36:41 +0000 (UTC)
 (envelope-from kevans@freebsd.org)
Received: from smtp.freebsd.org (smtp.freebsd.org
 [IPv6:2610:1c1:1:606c::24b:4])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "smtp.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 47TKZd44W6z4Ktj
 for <svn-src-head@freebsd.org>; Thu,  5 Dec 2019 15:36:41 +0000 (UTC)
 (envelope-from kevans@freebsd.org)
Received: from mail-qv1-f53.google.com (mail-qv1-f53.google.com
 [209.85.219.53])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 (Authenticated sender: kevans)
 by smtp.freebsd.org (Postfix) with ESMTPSA id 6306C136D5
 for <svn-src-head@freebsd.org>; Thu,  5 Dec 2019 15:36:41 +0000 (UTC)
 (envelope-from kevans@freebsd.org)
Received: by mail-qv1-f53.google.com with SMTP id t7so1430770qve.4
 for <svn-src-head@freebsd.org>; Thu, 05 Dec 2019 07:36:41 -0800 (PST)
X-Gm-Message-State: APjAAAVYhAwMQf1HU9Pmz+KT/O8v3O01AnhHTJH3YX8shQ0i7W7db39d
 mkyz01EDYa3inla4ZLNUdVlpc/dx46ZBebsZtNM=
X-Received: by 2002:ad4:474b:: with SMTP id c11mt7789995qvx.181.1575560200906; 
 Thu, 05 Dec 2019 07:36:40 -0800 (PST)
MIME-Version: 1.0
References: <201912051532.xB5FWX2U055706@repo.freebsd.org>
In-Reply-To: <201912051532.xB5FWX2U055706@repo.freebsd.org>
From: Kyle Evans <kevans@freebsd.org>
Date: Thu, 5 Dec 2019 09:36:29 -0600
X-Gmail-Original-Message-ID: <CACNAnaGC+Fi0rP2fibmVxV4kzVFmUdemNQOF4=fb1Ved029mkQ@mail.gmail.com>
Message-ID: <CACNAnaGC+Fi0rP2fibmVxV4kzVFmUdemNQOF4=fb1Ved029mkQ@mail.gmail.com>
Subject: Re: svn commit: r355423 - head
Cc: src-committers <src-committers@freebsd.org>,
 svn-src-all <svn-src-all@freebsd.org>, 
 svn-src-head <svn-src-head@freebsd.org>, ports-secteam@freebsd.org, 
 Jan Beich <jbeich@freebsd.org>
Content-Type: text/plain; charset="UTF-8"
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Dec 2019 15:36:41 -0000

On Thu, Dec 5, 2019 at 9:32 AM Kyle Evans <kevans@freebsd.org> wrote:
>
> Author: kevans
> Date: Thu Dec  5 15:32:33 2019
> New Revision: 355423
> URL: https://svnweb.freebsd.org/changeset/base/355423
>
> Log:
>   UPDATING: Add long-belated note about certs in base
>
>   While the interaction between this and the ETCSYMLINK option of
>   security/ca_root_nss isn't necessarily fatal, one should be aware and
>   attempt to understand the ramifications of mixing the two.
>
>   ports-secteam will be contacted to discuss the default option for branches
>   where certs are being included in base.
>
> Modified:
>   head/UPDATING
>
> Modified: head/UPDATING
> ==============================================================================
> --- head/UPDATING       Thu Dec  5 15:21:13 2019        (r355422)
> +++ head/UPDATING       Thu Dec  5 15:32:33 2019        (r355423)
> @@ -26,6 +26,16 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 13.x IS SLOW:
>         disable the most expensive debugging functionality run
>         "ln -s 'abort:false,junk:false' /etc/malloc.conf".)
>
> +20191205:
> +       The root certificates of the Mozilla CA Certificate Store have been
> +       imported into the base system and can be managed with the certctl(8)
> +       utility.  If you have installed the security/ca_root_nss port or package
> +       with the ETCSYMLINK option (the default), be advised that there may be
> +       differences between those included in the port and those included in
> +       base due to differences in nss branch used as well as general update
> +       frequency.  Note also that certctl(8) cannot manage certs in the
> +       format used by the security/ca_root_nss port.
> +
>  20191120:
>         The amd(8) automount daemon has been disabled by default, and will be
>         removed in the future.  As of FreeBSD 10.1 the autofs(5) is available

CC'ing ports-secteam@ and jbeich@- I think it would make sense and be
A Good Thing(TM?) to go ahead and flip the default of ETCSYMLINK to
"off" for -CURRENT/13.0 now that certs should be effectively managed
in base and updated with etcupdate/mergemaster. Thoughts?

Thanks,

Kyle Evans