Date: Tue, 07 Oct 2025 19:45:25 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 290078] Build of security/ca_root_nss results in leftover of cert files on 16-CURRENT Message-ID: <bug-290078-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=290078 Bug ID: 290078 Summary: Build of security/ca_root_nss results in leftover of cert files on 16-CURRENT Product: Base System Version: 16.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: yasu@freebsd.org CC: des@FreeBSD.org Host: 16.0-CURRENT main-n280862-f19aea89abd8 amd64 Poudriere: 3.4.3 Jaile: Same as host Ports tree: ports 9ab81a2c7468 On above conditions build of security/ca_root_nss results in leftover of cert files as below ---------------------------------------------------------------------- =>> Checking for extra files and directories =>> Error: Files or directories left over: /etc/ssl/certs/2ccbdda3.0 /etc/ssl/certs/9e654b62.0 /etc/ssl/certs/b0d5255e.0 =>> Error: Files or directories modified: /etc/ssl/cert.pem size (224449, 229231) build of security/ca_root_nss | ca_root_nss-3.115_3 ended at Wed Oct 8 04:34:45 JST 2025 build time: 00:00:07 !!! build failure encountered !!! [00:00:10] Error: Build failed in phase: leftovers [00:00:10] Logs: /usr/local/poudriere/data/logs/bulk/curamd64-default/2025-10-08_04h34m35s [00:00:10] Cleaning up [00:00:10] Unmounting file systems ---------------------------------------------------------------------- On 13.5-RELEASE amd64 and 14.3-RELEASE amd64 leftover doesn't happen. According to result of bisect, leftover starts with following commit. ---------------------------------------------------------------------- commit c340ef28fd38 Author: Dag-Erling Smørgrav <des@FreeBSD.org> AuthorDate: Mon Aug 18 23:26:29 2025 Commit: Dag-Erling Smørgrav <des@FreeBSD.org> CommitDate: Mon Aug 18 23:28:29 2025 certctl: Reimplement in C Notable changes include: * We no longer forget manually untrusted certificates when rehashing. * Rehash will now scan the existing directory and progressively replace its contents with those of the new trust store. The trust store as a whole is not replaced atomically, but each file within it is. * We no longer attempt to link to the original files, but we don't copy them either. Instead, we write each certificate out in its minimal form. * We now generate a trust bundle in addition to the hashed diretory. This also contains only the minimal DER form of each certificate. This allows e.g. Unbound to preload the bundle before chrooting. * The C version is approximately two orders of magnitude faster than the sh version, with rehash taking ~100 ms vs ~5-25 s depending on whether ca_root_nss is installed. * We now also have tests. Reviewed by: kevans, markj Differential Revision: https://reviews.freebsd.org/D42320 Differential Revision: https://reviews.freebsd.org/D51896 ---------------------------------------------------------------------- So it seems something is wrong with C version of certctl. Cc-ing committer of base c340ef28fd38. -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-290078-227>