Date: Sun, 27 May 2018 18:37:34 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 228550] security/ca_root_nss pkg-message claims to use symlinks but mostly doesn't Message-ID: <bug-228550-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D228550 Bug ID: 228550 Summary: security/ca_root_nss pkg-message claims to use symlinks but mostly doesn't Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: ports-secteam@FreeBSD.org Reporter: jdc@koitsu.org Flags: maintainer-feedback?(ports-secteam@FreeBSD.org) Assignee: ports-secteam@FreeBSD.org ca_root_nss's pkg-message claims the following: =3D=3D=3D This package installs symlinks to support root certificates discovery by default for software that uses OpenSSL. This enables SSL Certificate Verification by client software without manual intervention. If you prefer to do this manually, replace the following symlinks with either an empty file or your site-local certificate bundle. * /etc/ssl/cert.pem * /usr/local/etc/ssl/cert.pem * /usr/local/openssl/cert.pem =3D=3D=3D This appears to be mostly false: only one of those files is a symlink, the others are actual data (and not hardlinked either, all different inodes).=20 Proof: $ ls -li /etc/ssl/cert.pem /usr/local/etc/ssl/cert.pem /usr/local/openssl/cert.pem 1926146 lrwxr-xr-x 1 root wheel 38 May 25 18:12 /etc/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt 15168803 -rw-r--r-- 1 root wheel 789991 May 25 18:12 /usr/local/etc/ssl/cert.pem 15168805 -rw-r--r-- 1 root wheel 789991 May 25 18:12 /usr/local/openssl/cert.pem And let's check out /usr/local/share/certs/ca-root-nss.crt for completion: $ ls -li /usr/local/share/certs/ca-root-nss.crt 15168667 -rw-r--r-- 1 root wheel 789991 May 25 18:12 /usr/local/share/certs/ca-root-nss.crt And the md5s of all the literal files: $ md5 /usr/local/etc/ssl/cert.pem /usr/local/openssl/cert.pem /usr/local/share/certs/ca-root-nss.crt MD5 (/usr/local/etc/ssl/cert.pem) =3D 2e98964306c1868bcabf06364514f216 MD5 (/usr/local/openssl/cert.pem) =3D 2e98964306c1868bcabf06364514f216 MD5 (/usr/local/share/certs/ca-root-nss.crt) =3D 2e98964306c1868bcabf063645= 14f216 So: three (3) physical copies of the same file, and one symlink to one of t= hose copies. Let's look further: $ pkg info -l ca_root_nss ca_root_nss-3.37.1: /etc/ssl/cert.pem /usr/local/etc/ssl/cert.pem.sample /usr/local/openssl/cert.pem.sample /usr/local/share/certs/ca-root-nss.crt /usr/local/share/licenses/ca_root_nss-3.37.1/LICENSE /usr/local/share/licenses/ca_root_nss-3.37.1/MPL20 /usr/local/share/licenses/ca_root_nss-3.37.1/catalog.mk $ ls -l /usr/local/etc/ssl/cert.pem.sample /usr/local/openssl/cert.pem.samp= le lrwxr-xr-x 1 root wheel 38 May 25 18:12 /usr/local/etc/ssl/cert.pem.sample -> /usr/local/share/certs/ca-root-nss.crt lrwxr-xr-x 1 root wheel 38 May 25 18:12 /usr/local/openssl/cert.pem.sample -> /usr/local/share/certs/ca-root-nss.crt The .sample files are symlinks, but the non-.sample files aren't (sorry for= the double negative). Thus: either the message is wrong/incorrect, or something changed between w= hen the message was written and present that removed use of symlinks and instead uses literal copies. I reviewed the Makefile, target do-install, and all I see being done symlink-wise is for .sample files. I'm not even sure what's generating the non-.sample files... --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-228550-7788>