PR/58143 CVS commit: pkgsrc/mk

To: riastradh%netbsd.org@localhost, gnats-admin%netbsd.org@localhost, pkgsrc-bugs%netbsd.org@localhost, campbell+netbsd%mumble.net@localhost
Subject: PR/58143 CVS commit: pkgsrc/mk
From: "Taylor R Campbell" <riastradh%netbsd.org@localhost>
Date: Tue, 7 Jan 2025 19:20:02 +0000 (UTC)

The following reply was made to PR pkg/58143; it has been noted by GNATS.

From: "Taylor R Campbell" <riastradh%netbsd.org@localhost>
To: gnats-bugs%gnats.NetBSD.org@localhost
Cc: 
Subject: PR/58143 CVS commit: pkgsrc/mk
Date: Tue, 7 Jan 2025 19:18:08 +0000

 Module Name:	pkgsrc
 Committed By:	riastradh
 Date:		Tue Jan  7 19:18:08 UTC 2025
 
 Added Files:
 	pkgsrc/mk: ssl.mk ssldir.mk
 
 Log Message:
 mk/ssl.mk, mk/ssldir.mk: New files to define some TLS-related paths.
 
 Nothing uses these new files yet, so this cannot break anything.
 Packages should opt into using this as they are tested with it -- in
 particular, www/curl may need some care because on NetBSD this
 changes SSLCERTBUNDLE from undefined (and functionally empty) to a
 path, which affects how www/curl builds (but only www/curl as far as
 I can tell).
 
 Packages can include "../../mk/ssl.mk" to get at the following
 variables for TLS-related paths, with the following current values:
 
 SSLDIR  	directory where TLS-related files live
         	NetBSD: /etc/openssl (even for, say, gnutls)
         	Fedora: /etc/pki/tls
         	Haiku: /boot/system/data/ssl or /boot/common/data/ssl
 		Others: /etc/ssl
 
 SSLCERTS	TLS trust anchors in OpenSSL hashed cert directory
                 Everywhere: ${SSLDIR}/certs
 
 SSLCERTBUNDLE   TLS trust anchors in single-file concatenated PEM
 		NetBSD: ${SSLDIR}/certs/ca-certificates.crt (*)
                 Others: ${SSLDIR}/certs/ca-bundle.crt if exists
 
 SSLKEYS		directory of per-service TLS private keys
 		Everywhere: ${SSLDIR}/private
 
 This logic is extracted almost verbatim (modulo indentation) from
 security/openssl/builtin.mk, split into two files because of how SSLDIR
 is conditional on builtin vs non-builtin OpenSSL.
 
 (*) The one difference is: On NetBSD, SSLCERTBUNDLE is
 /etc/openssl/certs/ca-certificates.crt, not undefined.
 
 Why /etc/openssl on NetBSD, even though it is used by
 non-OpenSSL applications?
 
 => Upstream OpenSSL uses /etc/ssl by default, but NetBSD's OpenSSL
    has been built to use /etc/openssl for decades.  Other systems
    have expanded the domain of the path /etc/ssl to non-OpenSSL
    software, or changed it to /etc/pki/tls, but the name stuck as
    /etc/openssl on NetBSD, and it has carried over to any systems
    using security/mozilla-rootcerts or security/ca-certificates.
 
    To keep this change narrowly scoped to what I can test, I'm
    limiting it to NetBSD for now -- but this is worth revisiting for
    other operating systems if pkgsrc has traditionally been used on
    those systems with security/mozilla-rootcerts instead of
    OS-provided trust anchors.
 
 => In NetBSD>=10, certctl(8) manages trust anchors under
    /etc/openssl/certs out of the box -- this was chosen to match
    existing practice on NetBSD so most existing applications would
    continue to work unmodified.
 
 Why ${SSLDIR}/certs/ca-certificates.crt instead of
 ${SSLDIR}/certs/ca-bundle.crt on NetBSD?
 
 => The security/mozilla-rootcerts `mozilla-rootcerts install' command
    has used the file name `ca-certificate.crt' for over a decade,
    since mozilla-rootcerts-1.0.20121229nb1 back in 2013; likewise the
    security/mozilla-rootcerts-openssl package since it was introduced
    in 2015.
 
    (Originally it put this in /etc/ssl/certs/ca-certificates.crt
    instead of /etc/openssl/certs/ca-certificates.crt, but that was
    changed in mozilla-rootcerts-1.0.20170121nb3 back in 2017,
    presumably so it would match how NetBSD ships OpenSSL (except when
    using pkgsrc OpenSSL, in which case it uses
    ${PKG_SYSCONFDIR}/openssl/certs/ca-certificates.crt).  That
    compatibility break happened long enough ago that I don't think
    it's worth trying to restore anything about it -- and we can
    probably safely ditch any patches that point, e.g., Go at
    /etc/ssl/certs/ca-certificates.crt at this point.)
 
 => In NetBSD>=10, certctl(8) puts this file at
    /etc/openssl/certs/ca-certificates.crt out of the box -- this was
    chosen to match existing practice on NetBSD so most existing
    applications would continue to work unmodified.
 
 Preparation for (among other fixes):
 
 PR pkg/58143: security/gnutls uses wrong trust anchors
 
 
 To generate a diff of this commit:
 cvs rdiff -u -r0 -r1.1 pkgsrc/mk/ssl.mk pkgsrc/mk/ssldir.mk
 
 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

Prev by Date: pkg/58971: Missing install-env target like configure-env, build-env
Next by Date: PR/58143 CVS commit: pkgsrc/security/gnutls
Previous by Thread: pkg/58971: Missing install-env target like configure-env, build-env
Next by Thread: PR/58143 CVS commit: pkgsrc/security/gnutls
Indexes:

Home | Main Index | Thread Index | Old Index