CVS commit: [pkgsrc-2017Q1] pkgsrc/security/mozilla-rootcerts

["Benny Siegert" <bsiegert%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Wed Jun 21 18:45:27 UTC 2017

Modified Files:
        pkgsrc/security/mozilla-rootcerts [pkgsrc-2017Q1]: Makefile
        pkgsrc/security/mozilla-rootcerts/files [pkgsrc-2017Q1]:
            mozilla-rootcerts.sh

Log Message:
Pullup ticket #5488 - requested by sevan
security/mozilla-rootcerts: build fix

Revisions pulled up:
- security/mozilla-rootcerts/Makefile                           1.27-1.29
- security/mozilla-rootcerts/files/mozilla-rootcerts.sh         1.14-1.18

---
   Module Name:    pkgsrc
   Committed By:   gdt
   Date:           Mon Jun 19 00:10:21 UTC 2017

   Modified Files:
           pkgsrc/security/mozilla-rootcerts: Makefile
           pkgsrc/security/mozilla-rootcerts/files: mozilla-rootcerts.sh

   Log Message:
   Substitute path to openssl more thoroughly

   This package can depend on builtin openssl or pkgsrc openssl.
   However, it had paths from the base system hardcoded.  Be more
   thorough about using builtin vs pkgsrc paths.  This is a minimal
   change to use builtin/pkgsrc paths; future commits will note latent
   issues uncovered in the process.

   Based on a report to pkgsrc-users by J. Lewis Muir.

---
   Module Name:    pkgsrc
   Committed By:   gdt
   Date:           Mon Jun 19 00:20:15 UTC 2017

   Modified Files:
           pkgsrc/security/mozilla-rootcerts/files: mozilla-rootcerts.sh

   Log Message:
   Add comments questioning many things

   Describe issues with touching the config file and the spurious
   directory check surrounding ca-certificates.crt.

---
   Module Name:    pkgsrc
   Committed By:   gdt
   Date:           Mon Jun 19 00:32:38 UTC 2017

   Modified Files:
           pkgsrc/security/mozilla-rootcerts: Makefile
           pkgsrc/security/mozilla-rootcerts/files: mozilla-rootcerts.sh

   Log Message:
   Rationalize directory handling around ca-certificates.crt

   Now, ca-certificates.crt is always in the main certs dir, because we
   have been careful about builtin vs pkgsrc paths.  So the directory
   must exist (because it was checked earlier).  Instead, check for the
   ca-certificates.crt file existing.  Add more questioning comments.

   Based on a patch by J. Lewis Muir.

---
   Module Name:    pkgsrc
   Committed By:   gdt
   Date:           Mon Jun 19 00:37:48 UTC 2017

   Modified Files:
           pkgsrc/security/mozilla-rootcerts: Makefile
           pkgsrc/security/mozilla-rootcerts/files: mozilla-rootcerts.sh

   Log Message:
   Revert touching of openssl config file

   Earlier, code was added to "touch $conffile" to work around openssl
   issuing a warning if openssl.conf was not present.  This is
   problematic because if the warning is appropriate, 1) we have no way
   of knowing that an empty config file is correct and 2) we should not
   silence it.  If the warning is buggy, then openssl and/or the base
   system should be fixed.  Further, this code changes the modification
   date of the config file on every run, even when there is a valid
   config file.

   (There was no discussion prior, three objections and no concurrences,
   and no response, so reverting seems ok.)

---
   Module Name:    pkgsrc
   Committed By:   gdt
   Date:           Mon Jun 19 00:39:53 UTC 2017

   Modified Files:
           pkgsrc/security/mozilla-rootcerts/files: mozilla-rootcerts.sh

   Log Message:
   Adjust comments around ca-certificates.crt

   (Ride earlier PKGREVISION.)


To generate a diff of this commit:
cvs rdiff -u -r1.26 -r1.26.2.1 pkgsrc/security/mozilla-rootcerts/Makefile
cvs rdiff -u -r1.13 -r1.13.2.1 \
    pkgsrc/security/mozilla-rootcerts/files/mozilla-rootcerts.sh

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/mozilla-rootcerts/Makefile
diff -u pkgsrc/security/mozilla-rootcerts/Makefile:1.26 pkgsrc/security/mozilla-rootcerts/Makefile:1.26.2.1
--- pkgsrc/security/mozilla-rootcerts/Makefile:1.26     Wed Mar 15 18:52:55 2017
+++ pkgsrc/security/mozilla-rootcerts/Makefile  Wed Jun 21 18:45:27 2017
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.26 2017/03/15 18:52:55 jperkin Exp $
+# $NetBSD: Makefile,v 1.26.2.1 2017/06/21 18:45:27 bsiegert Exp $
 
 DISTNAME=      mozilla-rootcerts-1.0.${CERTDATA_DATE}
-PKGREVISION=   2
+PKGREVISION=   5
 CATEGORIES=    security
 MASTER_SITES=  -https://hg.mozilla.org/mozilla-central/raw-file/052b90b5414f/security/nss/lib/ckfw/builtins/certdata.txt
 DISTFILES=     ${CERTDATA}
@@ -21,13 +21,14 @@ CERTDATA=   certdata-${CERTDATA_DATE}.txt
 WRKSRC=                ${WRKDIR}
 DATADIR=       ${PREFIX}/share/${PKGBASE}
 
+# Set paths depending on whether we depend on builtin or pkgsrc openssl.
 CHECK_BUILTIN.openssl= yes
 .include "../../security/openssl/builtin.mk"
 CHECK_BUILTIN.openssl= no
 .if !empty(USE_BUILTIN.openssl:M[yY][eE][sS])
-SSLDIR=                /etc/openssl/certs
+SSLDIR=                /etc/openssl
 .else
-SSLDIR=                ${PKG_SYSCONFDIR}/openssl/certs
+SSLDIR=                ${PKG_SYSCONFDIR}/openssl
 .endif
 
 CERT_SCRIPT=           mozilla-rootcerts.sh

Index: pkgsrc/security/mozilla-rootcerts/files/mozilla-rootcerts.sh
diff -u pkgsrc/security/mozilla-rootcerts/files/mozilla-rootcerts.sh:1.13 pkgsrc/security/mozilla-rootcerts/files/mozilla-rootcerts.sh:1.13.2.1
--- pkgsrc/security/mozilla-rootcerts/files/mozilla-rootcerts.sh:1.13   Wed Mar 15 18:52:56 2017
+++ pkgsrc/security/mozilla-rootcerts/files/mozilla-rootcerts.sh        Wed Jun 21 18:45:27 2017
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# $NetBSD: mozilla-rootcerts.sh,v 1.13 2017/03/15 18:52:56 jperkin Exp $
+# $NetBSD: mozilla-rootcerts.sh,v 1.13.2.1 2017/06/21 18:45:27 bsiegert Exp $
 #
 # This script is meant to be used as follows:
 #
@@ -21,9 +21,8 @@
 
 self="@LOCALBASE@/sbin/mozilla-rootcerts"
 certfile="@DATADIR@/certdata.txt"
-certdir="/etc/ssl/certs"
+certdir=${SSLDIR}/certs
 destdir=
-conffile="/etc/openssl/openssl.cnf"
 
 usage()
 {
@@ -188,28 +187,35 @@ extract)
        }'
        ;;
 install)
-       if [ `uname -s` = "NetBSD" ]; then
-               # quell warnings for a missing config file
-               touch $destdir$conffile
-       fi
-       if [ ! -d $destdir$SSLDIR ]; then
-               ${ECHO} 1>&2 "ERROR: $destdir$SSLDIR does not exist, aborting."
+       # Insist on e.g. /etc/openssl/certs existing.
+       if [ ! -d $destdir$certdir ]; then
+               ${ECHO} 1>&2 "ERROR: $destdir$certdir does not exist, aborting."
                exit 1
        fi
-       cd $destdir$SSLDIR
+       cd $destdir$certdir
        if [ -n "`${LS}`" ]; then
-               ${ECHO} 1>&2 "ERROR: $destdir$SSLDIR already contains certificates, aborting."
+               # \todo Explain why this must fail if the user has
+               # installed certificates from other than the mozilla
+               # default root set.
+               ${ECHO} 1>&2 "ERROR: $destdir$certdir already contains certificates, aborting."
                exit 1
        fi
        set -e
        $self extract
        $self rehash
        set +e
-       if [ -d $destdir$certdir ]; then
-               ${ECHO} 1>&2 "ERROR: $destdir$certdir already exists, aborting."
+       # \todo Explain why if we are willing to write
+       # ca-certificates.crt, we are not willing to remove and
+       # re-create it.  Arguably install should be idempotent without
+       # error.
+       if [ -e $destdir$certdir/ca-certificates.crt ]; then
+               ${ECHO} 1>&2 "ERROR: $destdir$certdir/ca-certificates.crt already exists, aborting."
                exit 1
        fi
        set -e
-       $MKDIR $destdir$certdir
-       cat $destdir$SSLDIR/*.pem > $destdir$certdir/ca-certificates.crt
+       # \todo This is appparently for users of gnutls, but it is not
+       # clear where it should be and why.  In particular, this file
+       # should perhaps be created at package build time and be
+       # managed by pkgsrc.
+       cat $destdir$certdir/*.pem > $destdir$certdir/ca-certificates.crt
 esac