Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 20 Sep 2023 15:13:00 +0200
From:      Franco Fichtner <franco@lastsummer.de>
To:        Bernhard Froehlich <decke@freebsd.org>
Cc:        ports <ports@freebsd.org>
Subject:   Re: security/ca_root_nss: Remove duplicate PLIST entry
Message-ID:  <ECA8637A-D616-4D85-B6B5-DD5E39197282@lastsummer.de>
In-Reply-To: <18ab24f3cb3.c5c013fe911770.6822211215277654124@FreeBSD.org>
References:  <EAE8891D-0168-4879-BA59-067FAE37623F@lastsummer.de> <44a681dd-71cf-4946-bcdc-4928aeb02fd5@FreeBSD.org> <3C85B95F-A41E-4859-9D27-61D414AFC833@lastsummer.de> <18ab24f3cb3.c5c013fe911770.6822211215277654124@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi,

> On 20. Sep 2023, at 1:17 PM, Bernhard Froehlich <decke@freebsd.org> =
wrote:
>=20
> Before anyone is going to revert this I'd like to add that it seems to =
fix a
> bug with Custom Root CA for me.

Thanks, would have been nice to have this on record.

> Up to now whenever I have a box with an additional Private Root CA in
> /usr/local/share/certs/ and run "certctl rehash" some tools like fetch
> work properly up to the point when ca_root_nss is installed.
>=20
> Removing ca_root_nss also made it work properly:
> pkg remove -f ca_root_nss

I think that's mainly because ETCSYMLINK is enabled by default in
the port.  Without it there's no issue.  Maybe for all releases
bundling CA's it could be turned off by default now?

The main problem is that ca_root_nss caters a bundle for 3 separate
locations used by different services and now makes two of them =
adjustable
and the last one a fixed link with ETCSYMLINK and having multiple =
upstream
projects use any of these locations with differing resulting bundles
in the worst case is not ideal.

So really the samples belong to ETCSYMLINK turned off and the links
belong to ETCSYMLINK turned on.  The patch just tries to break the
ambiguity with the wrong conclusion.  They are the same but they are
separate use cases.

There is no proper override strategy in the port that comes from a
single location an propagates over to the target locations.

Granted I'm not using ETCSYMLINK because I need /etc/ssl/cert.pem to be
a collection of upstream and manual CA's anyway.  At the moment the
motivation is not to drop the consistency that ETCSYMLINK offers for
this discussion.


Cheers,
Franco=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ECA8637A-D616-4D85-B6B5-DD5E39197282>