Date: Mon, 11 May 2020 13:45:14 -0500 From: Kyle Evans <kevans@freebsd.org> To: Brooks Davis <brooks@freebsd.org> Cc: src-committers <src-committers@freebsd.org>, svn-src-all <svn-src-all@freebsd.org>, svn-src-head <svn-src-head@freebsd.org> Subject: Re: svn commit: r360833 - head Message-ID: <CACNAnaFiHx8YoQQe9pW5WQz65iViZk54aR9=cF42DyhWBjJnAw@mail.gmail.com> In-Reply-To: <20200511181027.GA60902@spindle.one-eyed-alien.net> References: <202005090201.04921Tpf028388@repo.freebsd.org> <20200511181027.GA60902@spindle.one-eyed-alien.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, May 11, 2020 at 1:10 PM Brooks Davis <brooks@freebsd.org> wrote: > > On Sat, May 09, 2020 at 02:01:29AM +0000, Kyle Evans wrote: > > Author: kevans > > Date: Sat May 9 02:01:29 2020 > > New Revision: 360833 > > URL: https://svnweb.freebsd.org/changeset/base/360833 > > > > Log: > > installworld: attempt a certctl rehash at the tail end > > > > This can be run as root or normal user with no problem; if they hadn't > > twisted the WITHOUT_CAROOT knob, we'll attempt to use the host certctl to > > rehash the DESTDIR. This would allow one to build systems WITHOUT_OPENSSL + > > WITH_CAROOT with a populated /etc/ssl that they can then use with an > > appropriate *ssl from somewhere else. > > > > Cross-builds are fine because this will always use the host certctl, or just > > nag if it's missing and it wasn't a WITHOUT_CAROOT build. > > > > MFC after: 1 week > > Differential Revision: https://reviews.freebsd.org/D24641 > > > > Modified: > > head/Makefile.inc1 > > > > Modified: head/Makefile.inc1 > > ============================================================================== > > --- head/Makefile.inc1 Sat May 9 01:48:08 2020 (r360832) > > +++ head/Makefile.inc1 Sat May 9 02:01:29 2020 (r360833) > > @@ -1403,6 +1403,16 @@ distributeworld installworld stageworld: _installcheck > > ${DESTDIR}/${DISTDIR}/${dist}.debug.meta > > .endfor > > .endif > > +.elif make(installworld) && ${MK_CAROOT} != "no" > > + # We could make certctl a bootstrap tool, but it requires OpenSSL and > > + # friends, which we likely don't want. We'll rehash on a best-effort > > + # basis, otherwise we'll just mention that we're not doing it to raise > > + # awareness. > > + @if which certctl>/dev/null; then \ > > + certctl rehash \ > > Does this update METALOG with the added links? > > It seems a little weird to rely on DESTDIR from the environment. > > In general I'm not enthusiastic about additions to installworld that do > anything other than copying files, creating links, etc in simple ways. I will happily back this out if I can get some qualified eyes to review/improve it. It does not update METALOG, and it probably should. Agreed on DESTDIR. As for point #3, I guess we can continue spreading `certctl rehash` all over the tree in various points that may need it; the release(7) scripts will need to be done if we don't do it here at a minimum, and I haven't put much thought into it beyond that. The close-to-infuriating part of the caroot project has been that it's incredibly hard to get almost anyone else (with some obvious exceptions) to do more than informal discussion on the matter; actual review, in particular, is difficult to obtain. Thanks, Kyle Evans
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACNAnaFiHx8YoQQe9pW5WQz65iViZk54aR9=cF42DyhWBjJnAw>