Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 11 May 2020 13:45:14 -0500
From:      Kyle Evans <kevans@freebsd.org>
To:        Brooks Davis <brooks@freebsd.org>
Cc:        src-committers <src-committers@freebsd.org>, svn-src-all <svn-src-all@freebsd.org>,  svn-src-head <svn-src-head@freebsd.org>
Subject:   Re: svn commit: r360833 - head
Message-ID:  <CACNAnaFiHx8YoQQe9pW5WQz65iViZk54aR9=cF42DyhWBjJnAw@mail.gmail.com>
In-Reply-To: <20200511181027.GA60902@spindle.one-eyed-alien.net>
References:  <202005090201.04921Tpf028388@repo.freebsd.org> <20200511181027.GA60902@spindle.one-eyed-alien.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, May 11, 2020 at 1:10 PM Brooks Davis <brooks@freebsd.org> wrote:
>
> On Sat, May 09, 2020 at 02:01:29AM +0000, Kyle Evans wrote:
> > Author: kevans
> > Date: Sat May  9 02:01:29 2020
> > New Revision: 360833
> > URL: https://svnweb.freebsd.org/changeset/base/360833
> >
> > Log:
> >   installworld: attempt a certctl rehash at the tail end
> >
> >   This can be run as root or normal user with no problem; if they hadn't
> >   twisted the WITHOUT_CAROOT knob, we'll attempt to use the host certctl to
> >   rehash the DESTDIR. This would allow one to build systems WITHOUT_OPENSSL +
> >   WITH_CAROOT with a populated /etc/ssl that they can then use with an
> >   appropriate *ssl from somewhere else.
> >
> >   Cross-builds are fine because this will always use the host certctl, or just
> >   nag if it's missing and it wasn't a WITHOUT_CAROOT build.
> >
> >   MFC after:  1 week
> >   Differential Revision:      https://reviews.freebsd.org/D24641
> >
> > Modified:
> >   head/Makefile.inc1
> >
> > Modified: head/Makefile.inc1
> > ==============================================================================
> > --- head/Makefile.inc1        Sat May  9 01:48:08 2020        (r360832)
> > +++ head/Makefile.inc1        Sat May  9 02:01:29 2020        (r360833)
> > @@ -1403,6 +1403,16 @@ distributeworld installworld stageworld: _installcheck
> >       ${DESTDIR}/${DISTDIR}/${dist}.debug.meta
> >  .endfor
> >  .endif
> > +.elif make(installworld) && ${MK_CAROOT} != "no"
> > +     # We could make certctl a bootstrap tool, but it requires OpenSSL and
> > +     # friends, which we likely don't want.  We'll rehash on a best-effort
> > +     # basis, otherwise we'll just mention that we're not doing it to raise
> > +     # awareness.
> > +     @if which certctl>/dev/null; then \
> > +             certctl rehash \
>
> Does this update METALOG with the added links?
>
> It seems a little weird to rely on DESTDIR from the environment.
>
> In general I'm not enthusiastic about additions to installworld that do
> anything other than copying files, creating links, etc in simple ways.

I will happily back this out if I can get some qualified eyes to
review/improve it. It does not update METALOG, and it probably should.
Agreed on DESTDIR. As for point #3, I guess we can continue spreading
`certctl rehash` all over the tree in various points that may need it;
the release(7) scripts will need to be done if we don't do it here at
a minimum, and I haven't put much thought into it beyond that.

The close-to-infuriating part of the caroot project has been that it's
incredibly hard to get almost anyone else (with some obvious
exceptions) to do more than informal discussion on the matter; actual
review, in particular, is difficult to obtain.

Thanks,

Kyle Evans



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACNAnaFiHx8YoQQe9pW5WQz65iViZk54aR9=cF42DyhWBjJnAw>