security/libressl: Update to 2.2.6
ClosedPublic
Actions

Authored by brnrd on Jan 29 2016, 9:17 AM.

Details

Reviewers

miwi
koobs
feld

Commits

rP407612: security/libressl: Update to 2.2.6

Summary

Proposed commit log:

security/libressl: Update to 2.2.6

  - Update to version 2.2.6 [1]
  - Remove CA root cert that is installed by default

Changes:

  ftp://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.2.6-relnotes.txt [1]

Reviewed_by:	koobs (mentor), feld (mentor)
Approved by:	(mentor)
Differential_Revision:	D5115

Test Plan

make check-plist (clean)
portlint -AC (no change)
poudriere testport OK

Diff Detail

Repository

rP FreeBSD ports repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

brnrd updated this revision to Diff 12814.Jan 29 2016, 9:17 AM

brnrd retitled this revision from to security/libressl: Update to 2.2.6.

brnrd updated this object.

brnrd edited the test plan for this revision. (Show Details)

brnrd added reviewers: koobs, feld.

brnrd updated this object.Jan 29 2016, 12:38 PM

brnrd edited the test plan for this revision. (Show Details)

koobs requested changes to this revision.Jan 29 2016, 12:51 PM

koobs edited edge metadata.

koobs added inline comments.

security/libressl/Makefile
19 ↗	(On Diff #12814)	I dont think the location ($PREFIX/foo) should be in the OPTION_DESC What is the difference between this set of roots and ca_root_nss's? We set a higher bar for things like this (see previous ca_root_nss debates) Does this certificate conflict with ca_root_nss's? If so, I believe it would need to CONFLICTS[_INSTALL] I don't like that this has a different option name than CA_BUNDLE for all other ports. POLA violation I understand libressl and openssl are mutually exclusive, but just because a user has libre installed, doesn't necessarily mean they want libre's roots, or vice versa for openssl (ca_root_nss). It feels like there should be a choice (somewhere) between which, or who's (nss/libre) "roots" get installed, idenepdent to the ssl library that is selected. Perhaps this could instead be an options group for "Root Certificates" with two options (one being CA_BUNDLE), though I haven't thought about implications, and I don't like this alternative either, because why should libre be the only one to have this choice, why not every other port that has an option for CA_BUNDLE? TLDR; I'm not 100% on this option and I believe it needs more thought/discussion
29 ↗	(On Diff #12814)	Note: Not needed if CERTBUNDLE option is removed as per comment above

This revision now requires changes to proceed.Jan 29 2016, 12:51 PM

can we move forward with the CERTBUNDLE disabled by default so we don't have any conflicts?

In D5115#108847, @feld wrote:

can we move forward with the CERTBUNDLE disabled by default so we don't have any conflicts?

The issue is not the option/feature itself. The idea of having choice in CA root stores is sound and desirable. It will however, still conflicts for ports (or ports/package users) users that enable the option and still remain a POLA violation having your cert store clobbered if it is chosen. It's an actual conflict in the sense that two packages the same file, whether or not its optional. This could be covered by a CERTBUNDLE_CONFLICTS_INSTALL, but I don't believe that solves the underlying issue.

I'm still keen to know the main benefits/intent/differences of this cert store versus NSS to get a better understanding of its value, to determine whether its worth progress in spite of the reservations.

We could also consider packaging them on their own under a libressl-ca-root port, but it still doesn't solve the replaces ca_root_nss problem, nor how users can select this over ca_root_nss for all ports that already depend on it, optionally or otherwise.

You're right, the better architectural design here would be to teach the ports tree how to handle this and have two separate ports.

However, we still don't have a PROVIDES and REQUIRES framework yet so package users will always get whatever is the ports-tree default (probably ca_root_nss)

brnrd marked an inline comment as done.Jan 29 2016, 8:29 PM

brnrd added inline comments.

security/libressl/Makefile
19 ↗	(On Diff #12814)	$PREFIX/foo gone Renamed to CA_BUNDLE Aligned desc with www/neon Mozilla: 173 roots, LibreSSL: 56 No conflict The CA_BUNDLE is usually a knob to make something depend on ca_root_nss, descriptions are not aligned in the ports tree. The change was based on a request from frog on IRC to have this at least configurable. Perfectly fine with me to disable, set it enabled to not change the current behaviour.