Re: git: acd6144c488b - main - devel/git: Update to 2.39.1

Reply: Adam Weinberger : "Re: git: acd6144c488b - main - devel/git: Update to 2.39.1"
In reply to: Antoine Brodin : "Re: git: acd6144c488b - main - devel/git: Update to 2.39.1"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Michael Gmelin <grembo_at_freebsd.org>
Date: Thu, 19 Jan 2023 08:42:26 UTC


> On 19. Jan 2023, at 09:33, Antoine Brodin <antoine@freebsd.org> wrote:
> 
> On Thu, Jan 19, 2023 at 8:22 AM Antoine Brodin <antoine@freebsd.org> wrote:
>> 
>>> On Thu, Jan 19, 2023 at 8:19 AM Antoine Brodin <antoine@freebsd.org> wrote:
>>> 
>>> On Thu, Jan 19, 2023 at 7:55 AM Michael Gmelin <grembo@freebsd.org> wrote:
>>>> 
>>>> 
>>>> 
>>>>> On 19. Jan 2023, at 08:39, Antoine Brodin <antoine@freebsd.org> wrote:
>>>>> 
>>>>> On Thu, Jan 19, 2023 at 7:38 AM Antoine Brodin <antoine@freebsd.org> wrote:
>>>>>> 
>>>>>>> On Tue, Jan 17, 2023 at 7:13 PM Renato Botelho <garga@freebsd.org> wrote:
>>>>>>> 
>>>>>>> The branch main has been updated by garga:
>>>>>>> 
>>>>>>> URL: https://cgit.FreeBSD.org/ports/commit/?id=acd6144c488bbe15cd81c41f14d9fb96636b4c1f
>>>>>>> 
>>>>>>> commit acd6144c488bbe15cd81c41f14d9fb96636b4c1f
>>>>>>> Author:     Renato Botelho <garga@FreeBSD.org>
>>>>>>> AuthorDate: 2023-01-17 19:12:17 +0000
>>>>>>> Commit:     Renato Botelho <garga@FreeBSD.org>
>>>>>>> CommitDate: 2023-01-17 19:13:51 +0000
>>>>>>> 
>>>>>>>   devel/git: Update to 2.39.1
>>>>>>> 
>>>>>>>   Security:       CVE-2022-41903
>>>>>>>                   CVE-2022-23521
>>>>>>>   Sponsored by:   Rubicon Communications, LLC ("Netgate")
>>>>>>> ---
>>>>>>> devel/git/Makefile  |  2 +-
>>>>>>> devel/git/distinfo  | 14 +++++++-------
>>>>>>> devel/git/pkg-plist | 10 ++++++++++
>>>>>>> 3 files changed, 18 insertions(+), 8 deletions(-)
>>>>>> 
>>>>>> Hello,
>>>>>> 
>>>>>> git seems to be unable to clone or pull over https after this update
>>>>>> unable to access 'https://git.freebsd.org/ports.git/': SSL certificate
>>>>>> problem: unable to get local issuer certificate
>>>>>> 
>>>>>> Could you investigate?
>>>>> 
>>>>> Adding portmgr in cc: as this affects package builders.
>>>>> 
>>>> 
>>>> Does installing ca-root-nss explicitly make a difference?
>>> 
>>> ca_root_nss is installed.
>> 
>> Using an old git package doesn't fix the issue,  maybe the problem is
>> in a dependency?
> 
> Going back from curl-7.87.0 to curl-7.86.0 seems to fix the issue
> 

Well, there was this

https://lists.freebsd.org/archives/dev-commits-ports-all/2023-January/049380.html

which unfortunately remained unanswered.

It seems like disabling CA_BUNDLE by default not only removes the dependency on ca_root_nss, but also disables a configuration option to look for certs in the right place:

> +CA_BUNDLE_CONFIGURE_WITH=    ca-bundle=${LOCALBASE}/share/certs/ca-root-nss.crt

Michael