Date: Thu, 5 Dec 2019 09:36:29 -0600 From: Kyle Evans <kevans@freebsd.org> Cc: src-committers <src-committers@freebsd.org>, svn-src-all <svn-src-all@freebsd.org>, svn-src-head <svn-src-head@freebsd.org>, ports-secteam@freebsd.org, Jan Beich <jbeich@freebsd.org> Subject: Re: svn commit: r355423 - head Message-ID: <CACNAnaGC%2BFi0rP2fibmVxV4kzVFmUdemNQOF4=fb1Ved029mkQ@mail.gmail.com> In-Reply-To: <201912051532.xB5FWX2U055706@repo.freebsd.org> References: <201912051532.xB5FWX2U055706@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 5, 2019 at 9:32 AM Kyle Evans <kevans@freebsd.org> wrote: > > Author: kevans > Date: Thu Dec 5 15:32:33 2019 > New Revision: 355423 > URL: https://svnweb.freebsd.org/changeset/base/355423 > > Log: > UPDATING: Add long-belated note about certs in base > > While the interaction between this and the ETCSYMLINK option of > security/ca_root_nss isn't necessarily fatal, one should be aware and > attempt to understand the ramifications of mixing the two. > > ports-secteam will be contacted to discuss the default option for branches > where certs are being included in base. > > Modified: > head/UPDATING > > Modified: head/UPDATING > ============================================================================== > --- head/UPDATING Thu Dec 5 15:21:13 2019 (r355422) > +++ head/UPDATING Thu Dec 5 15:32:33 2019 (r355423) > @@ -26,6 +26,16 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 13.x IS SLOW: > disable the most expensive debugging functionality run > "ln -s 'abort:false,junk:false' /etc/malloc.conf".) > > +20191205: > + The root certificates of the Mozilla CA Certificate Store have been > + imported into the base system and can be managed with the certctl(8) > + utility. If you have installed the security/ca_root_nss port or package > + with the ETCSYMLINK option (the default), be advised that there may be > + differences between those included in the port and those included in > + base due to differences in nss branch used as well as general update > + frequency. Note also that certctl(8) cannot manage certs in the > + format used by the security/ca_root_nss port. > + > 20191120: > The amd(8) automount daemon has been disabled by default, and will be > removed in the future. As of FreeBSD 10.1 the autofs(5) is available CC'ing ports-secteam@ and jbeich@- I think it would make sense and be A Good Thing(TM?) to go ahead and flip the default of ETCSYMLINK to "off" for -CURRENT/13.0 now that certs should be effectively managed in base and updated with etcupdate/mergemaster. Thoughts? Thanks, Kyle Evans
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACNAnaGC%2BFi0rP2fibmVxV4kzVFmUdemNQOF4=fb1Ved029mkQ>