Date: Sat, 11 Mar 2017 01:32:55 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 217691] net/chrony: add nss option + other cleanups Message-ID: <bug-217691-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217691 Bug ID: 217691 Summary: net/chrony: add nss option + other cleanups Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: Individual Port(s) Assignee: freebsd-ports-bugs@FreeBSD.org Reporter: z7dr6ut7gs@snkmail.com CC: yonas@fizk.net CC: yonas@fizk.net Flags: maintainer-feedback?(yonas@fizk.net) Created attachment 180709 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D180709&action= =3Dedit [patch] NSS option + other cleanup The attached patch adds an NSS option and some other cleanup. portlint - ok stage-qa - ok testport - ok (10/stable) Add NSS option: Before this patch, if nss is installed when chrony is built, there's a sile= nt lib dependency on nss, and if nss is subsequently uninstalled chrony breaks= due to a now missing library. I decided to turn it on by default: - it adds support for a number of more modern hashing algorithms (instea= d of only the default and less secure md5) - if NSS option is turned off, explicitly disable via configure option - nss is well maintained - I see the case for having NSS off by default. Many users of chrony ju= st want the basic features, and don't need the extra security. Turning NSS of= f by default reduces dependency proliferation that is not necessary for many use= rs.=20 So feel free to remove 'OPTIONS_DEFAULT=3DNSS' before committing this patch. - Override default NSS_DESC since it's generic text is not very helpful = for chrony's usage. The updated description is more specific regarding chrony's use of NSS. Other cleanup: - --infodir is not a valid configure option (since 2.3 I think) - USES=3Dlocalbase instead of LDFLAGS - add explicit --without-tomcrypt [1] - add support for passing chronyd_flags to chronyd in rc.d script - fix some hard-coded /usr/local in examples [1] We could add a TOMCRYPT option which adds even more hashing algorithms.= =20 But libtomcrypt does not have wide exposure. There's some upstream security updates (also backported to debian's package) that have been around for yea= rs that were never added to freebsd's port. The added benefit of some extra l= ess common hashing algorithms didn't seem worth adding an option. If we do add= an option in the future, I believe it should be off by default in preference to nss. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-217691-13>