From owner-freebsd-stable@freebsd.org Sun Jun 19 09:58:16 2016 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 12AABA78908 for ; Sun, 19 Jun 2016 09:58:16 +0000 (UTC) (envelope-from kpaasial@gmail.com) Received: from mail-oi0-x230.google.com (mail-oi0-x230.google.com [IPv6:2607:f8b0:4003:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C24AF1642 for ; Sun, 19 Jun 2016 09:58:15 +0000 (UTC) (envelope-from kpaasial@gmail.com) Received: by mail-oi0-x230.google.com with SMTP id u201so173778526oie.0 for ; Sun, 19 Jun 2016 02:58:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=mLEsPbiAEgsU8GSRShrPtQCH/effIEEmM1T08kD3Pow=; b=YSgk7/V1bTuxzXgSG7vv8SZTDFKFixt1go/LKdk5C3LQC+70C4V82kXY1iphNDb2vS k/4cuxGBEhoH1u1yG6tKR7q3rFIa9/RKWnYm1tTzMUacVtv8P8kJpmUt0odPi1uwfdE0 gUiFgb0Nwpbp5+2dZ7Rhxa5r9FTbLja7VRidWKJbuK2odtLum2Km+OyMuaHBUNegD68s QmW1SsWPnnaPUPmn7xMMJfw26V/d4lqvsdYMTpn5+JiSdTWSvGOmgDLrg0ii5AyZ2dPq 1NFsFlZ/usbx3HIh6T1no+Je56di1LzuxyOko0lo3MhzzYxwr4IC5n1SG8wWVEK5mJ3R uvuQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=mLEsPbiAEgsU8GSRShrPtQCH/effIEEmM1T08kD3Pow=; b=AibmKzKQCArR76GZehNalI+vhddrPg0nD4388jnN4dUzD7humuigR8VOBlj9DkjaBc X/PfKYA5f3KFf0ID3GzafUMQxm3qQlN0IuBN/bTyp8lEb7nbDeRBp69b8Pkcjj0DEYqP 6nJMwr1372JNcgk9Z2x+jQKShgKTCmHEdv+A1PQKs9Wckq18465Ci16SdNFsKIv3Wy6i yBbhUBy4FP0UPMW/vqdM3P8w07MI8yh4HNA67sLAnYc5OmwvgxEb3ph+AoOGI0qe0+kq MAz+ON4l6Va9khnNa+deozFa/+BuxPtfarUHIqmTi0FjJbsX7yPYZm9qZ/FFK/Jq2lbj g3og== X-Gm-Message-State: ALyK8tKkBhPPdEwzpUgbD8sqXfIHq2z8wxupbZ0N5Jvz0kQftk33WVh3MtJwCmdO6HwpkTBQMXnsX8LIHvJd7Q== X-Received: by 10.202.183.7 with SMTP id h7mr4925642oif.118.1466330294880; Sun, 19 Jun 2016 02:58:14 -0700 (PDT) MIME-Version: 1.0 Received: by 10.157.16.76 with HTTP; Sun, 19 Jun 2016 02:58:14 -0700 (PDT) In-Reply-To: <20160618095512.GA62084@lyxys.ka.sub.org> References: <69edafc5-a368-77f6-aee7-81ab3c845e18@precisionforesight.com> <661d8bbb-ffa3-e42b-cff6-629733adedaf@FreeBSD.org> <20160618095512.GA62084@lyxys.ka.sub.org> From: Kimmo Paasiala Date: Sun, 19 Jun 2016 12:58:14 +0300 Message-ID: Subject: Re: new certificate for svn.freebsd.org? To: Wolfgang Zenker Cc: "freebsd-stable@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jun 2016 09:58:16 -0000 On Sat, Jun 18, 2016 at 12:55 PM, Wolfgang Zenker wrote: > * Matthew Seaman [160618 11:21]: >> On 18/06/2016 05:40, Ben Steel via freebsd-stable wrote: >>> It's not just you, Wolfgang. See bug 210332 at bugs.freebsd.org. >>> The new certificate is in place on the 4 mirrors that I found (US East, >>> US West, UK, Russia) but didn't verify cleanly and wasn't in the >>> documentation. > >>> For me, the fix was in Dimitry's mail, a step I probably missed when >>> installing security/ca_root_nss: > >>> sudo ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem > >> There's an option in the ca_root_nss port to create the symlink, which >> is enabled by default. That option only exists because the ports are >> not supposed to touch anything outside /usr/local -- except that for >> this port, not creating the symlink for /etc/ssl/cert.pm pretty much >> renders the whole port pointless. > >> Even so, the option used to be off by default: the change to 'on by >> default' was made almost exactly a year ago, and there have been several >> changes to the list of certs since, so not having the symlink in place >> indicates either that you haven't updated your ports recently, or that >> you've specifically chosen not to enable the symlink. In which case you >> wouldn't have been able to validate the previous cert either. > > I first installed the port a couple of years ago and updated regularly, > but of course the options value of not installing the symlink, which > I then accepted as default, had been saved and was automatically used > in every update since. I could not validate the previous cert either, > but could check the hash against the published version. > > Now using "make rmconfig" and reinstalling the port fixed it for me. > > Maybe we should consider bringing the config dialog up again in > ports where default values are changed? > > Wolfgang That would probably require some reworking of the saved options. Now there is no information saved if an option is at its default setting or differs from the default. Without that information evaluating all options to detect changed defaults for a large set of ports would be very slow. -Kimmo