From owner-svn-src-all@freebsd.org Wed May 20 20:50:12 2020 Return-Path: Delivered-To: svn-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E92302F4BD3; Wed, 20 May 2020 20:50:12 +0000 (UTC) (envelope-from brooks@spindle.one-eyed-alien.net) Received: from spindle.one-eyed-alien.net (spindle.one-eyed-alien.net [199.48.129.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 49S4dH5krVz3WhW; Wed, 20 May 2020 20:50:11 +0000 (UTC) (envelope-from brooks@spindle.one-eyed-alien.net) Received: by spindle.one-eyed-alien.net (Postfix, from userid 3001) id E86173C0199; Wed, 20 May 2020 20:50:04 +0000 (UTC) Date: Wed, 20 May 2020 20:50:04 +0000 From: Brooks Davis To: Brooks Davis Cc: Kyle Evans , src-committers , svn-src-all , svn-src-head Subject: Re: svn commit: r360833 - head Message-ID: <20200520205004.GA83149@spindle.one-eyed-alien.net> References: <202005090201.04921Tpf028388@repo.freebsd.org> <20200511181027.GA60902@spindle.one-eyed-alien.net> <20200512221603.GB60902@spindle.one-eyed-alien.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="XsQoSWH+UP9D9v3l" Content-Disposition: inline In-Reply-To: <20200512221603.GB60902@spindle.one-eyed-alien.net> User-Agent: Mutt/1.9.4 (2018-02-28) X-Rspamd-Queue-Id: 49S4dH5krVz3WhW X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of brooks@spindle.one-eyed-alien.net has no SPF policy when checking 199.48.129.229) smtp.mailfrom=brooks@spindle.one-eyed-alien.net X-Spamd-Result: default: False [-0.30 / 15.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-0.06)[-0.062]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; DMARC_NA(0.00)[freebsd.org]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(0.60)[0.595]; RCPT_COUNT_FIVE(0.00)[5]; TO_DN_ALL(0.00)[]; NEURAL_SPAM_SHORT(0.07)[0.069]; SIGNED_PGP(-2.00)[]; FORGED_SENDER(0.30)[brooks@freebsd.org,brooks@spindle.one-eyed-alien.net]; RCVD_COUNT_ZERO(0.00)[0]; R_SPF_NA(0.00)[no SPF record]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:36236, ipnet:199.48.128.0/22, country:US]; FROM_NEQ_ENVFROM(0.00)[brooks@freebsd.org,brooks@spindle.one-eyed-alien.net] X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 May 2020 20:50:13 -0000 --XsQoSWH+UP9D9v3l Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, May 12, 2020 at 10:16:03PM +0000, Brooks Davis wrote: > On Mon, May 11, 2020 at 01:45:14PM -0500, Kyle Evans wrote: > > On Mon, May 11, 2020 at 1:10 PM Brooks Davis wrote: > > > > > > On Sat, May 09, 2020 at 02:01:29AM +0000, Kyle Evans wrote: > > > > Author: kevans > > > > Date: Sat May 9 02:01:29 2020 > > > > New Revision: 360833 > > > > URL: https://svnweb.freebsd.org/changeset/base/360833 > > > > > > > > Log: > > > > installworld: attempt a certctl rehash at the tail end > > > > > > > > This can be run as root or normal user with no problem; if they h= adn't > > > > twisted the WITHOUT_CAROOT knob, we'll attempt to use the host ce= rtctl to > > > > rehash the DESTDIR. This would allow one to build systems WITHOUT= _OPENSSL + > > > > WITH_CAROOT with a populated /etc/ssl that they can then use with= an > > > > appropriate *ssl from somewhere else. > > > > > > > > Cross-builds are fine because this will always use the host certc= tl, or just > > > > nag if it's missing and it wasn't a WITHOUT_CAROOT build. > > > > > > > > MFC after: 1 week > > > > Differential Revision: https://reviews.freebsd.org/D24641 > > > > > > > > Modified: > > > > head/Makefile.inc1 > > > > > > > > Modified: head/Makefile.inc1 > > > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D > > > > --- head/Makefile.inc1 Sat May 9 01:48:08 2020 (r360= 832) > > > > +++ head/Makefile.inc1 Sat May 9 02:01:29 2020 (r360= 833) > > > > @@ -1403,6 +1403,16 @@ distributeworld installworld stageworld: _in= stallcheck > > > > ${DESTDIR}/${DISTDIR}/${dist}.debug.meta > > > > .endfor > > > > .endif > > > > +.elif make(installworld) && ${MK_CAROOT} !=3D "no" > > > > + # We could make certctl a bootstrap tool, but it requires Ope= nSSL and > > > > + # friends, which we likely don't want. We'll rehash on a bes= t-effort > > > > + # basis, otherwise we'll just mention that we're not doing it= to raise > > > > + # awareness. > > > > + @if which certctl>/dev/null; then \ > > > > + certctl rehash \ > > > > > > Does this update METALOG with the added links? > > > > > > It seems a little weird to rely on DESTDIR from the environment. > > > > > > In general I'm not enthusiastic about additions to installworld that = do > > > anything other than copying files, creating links, etc in simple ways. > >=20 > > I will happily back this out if I can get some qualified eyes to > > review/improve it. It does not update METALOG, and it probably should. > > Agreed on DESTDIR. As for point #3, I guess we can continue spreading > > `certctl rehash` all over the tree in various points that may need it; > > the release(7) scripts will need to be done if we don't do it here at > > a minimum, and I haven't put much thought into it beyond that. >=20 > I'm not in a rush to back this out given that it's solving a real > problem, but lets talk about improvements. >=20 > I kind of feel like this belongs in distribution (which I think would > deal with release scripts) or in etcupdate/mergemaster, but I'm not > sure either of those are correct. I'd be happy to review changes to > update the METALOG (I guess we'd extend certctl with an option to do > that?) I think that's the most important things because we really > should be routinely validating that DESTDIR only contains things in the > METALOG. A quick and dirty fix for the DESTDIR weirdness might be adding > "env DESTDIR=3D${DESTDIR}" so it's explicit. I did discover that this is causing me a minor hassle downstream in CheriBSD. Our crossbuild tool (cheribuild) checks for files not in the METALOG and prompts to ask if they should be included when run interactively. This means all my disk image builds now stall unless I remember to wait until I'm past that stage. Without addressing the question of which stage (if any) the certctl rehash should take place in, I have a potential fix for the failure to handle METALOG files in https://reviews.freebsd.org/D24932. It needs some documentation updates before it can land, but I think it's complete. -- Brooks --XsQoSWH+UP9D9v3l Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJexZf8AAoJEKzQXbSebgfArJ8H/3pFKvS6OAhW4TTlhW7kMg9/ iqKBiTdwuXo54xWANz/Sgk6JTwZnPs4o3Ftb17CGRKm/OQ5TPR4NttGTYx2mzjUM XvmvqtuIPlDOnv8xPhrPREoB7pJunXDtK+7K/TKfGtoVQXOSXbaIFHH3d8QDySDd tAg3Rmz10gFVd461vYXUvt2zDi9n2jOYftTcv4qeeGDVH5FeBSMDfzbXzSpHJzUO mBHGWZD06i+Iw7HBHSfzQLCljD3N99qCmLu0YuT+sftF6BE+JrEizSyk7gyq6xnp QdRs+BQVa70UmuRbUdfnBpeH23yfOIEYmG+l8HMv04cdub4DUT/6JR1wtlGPeDY= =Zua5 -----END PGP SIGNATURE----- --XsQoSWH+UP9D9v3l--