From nobody Thu Jan 19 17:29:55 2023 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NyV4m4xVRz30t9Q; Thu, 19 Jan 2023 17:30:00 +0000 (UTC) (envelope-from grembo@freebsd.org) Received: from mail.evolve.de (mail.evolve.de [213.239.217.29]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail.evolve.de", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NyV4l570Mz3xdt; Thu, 19 Jan 2023 17:29:59 +0000 (UTC) (envelope-from grembo@freebsd.org) Authentication-Results: mx1.freebsd.org; none Received: by mail.evolve.de (OpenSMTPD) with ESMTP id 6e9912fa; Thu, 19 Jan 2023 17:29:56 +0000 (UTC) Received: by mail.evolve.de (OpenSMTPD) with ESMTPSA id cd2af119 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Thu, 19 Jan 2023 17:29:56 +0000 (UTC) Content-Type: multipart/alternative; boundary=Apple-Mail-07E13CD0-5A12-4144-A846-3928841DEFC2 Content-Transfer-Encoding: 7bit List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org Mime-Version: 1.0 (1.0) Subject: Re: git: acd6144c488b - main - devel/git: Update to 2.39.1 From: Michael Gmelin In-Reply-To: Date: Thu, 19 Jan 2023 18:29:55 +0100 Cc: Antoine Brodin , Renato Botelho , ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org, FreeBSD Ports Management Team Message-Id: <65CC64E3-A2E3-466B-BF32-1AC8EE3609AE@freebsd.org> References: To: Adam Weinberger X-Mailer: iPhone Mail (20B110) X-Rspamd-Queue-Id: 4NyV4l570Mz3xdt X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:24940, ipnet:213.239.192.0/18, country:DE] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N --Apple-Mail-07E13CD0-5A12-4144-A846-3928841DEFC2 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable

On 19. Jan 2023, at 18= :04, Adam Weinberger <adamw@adamw.org> wrote:

=EF=BB=BF
On Thu, Jan 19, 2023 at 1:42 AM Michael Gmelin <grembo@freebsd.org> wrote:


On 19. Jan 2023, at 09:33, Antoine Brodin <antoine@freebsd.org&g= t; wrote:

=EF=BB=BFOn Thu, Jan 19, 2023 at 8:22 AM Antoine Brodin <antoine@freebsd.org>= ; wrote:

<= blockquote type=3D"cite">On Thu, Jan 19, 2023 at 8:19 AM Antoine Brodi= n <antoine@freeb= sd.org> wrote:

On Thu, Jan 19, 2023 at 7:55 AM= Michael Gmelin <= grembo@freebsd.org> wrote:



On 19. Jan 2023, at 08:39,= Antoine Brodin <antoine@freebsd.org> wrote:

=EF=BB=BFOn Thu, Jan 19, 2023 at 7:38 AM Antoine Brodin <antoine@freebsd.org> wrote:=

<= blockquote type=3D"cite">
On Tue, Jan 17, 202= 3 at 7:13 PM Renato Botelho <garga@freebsd.org> wrote:

<= /blockquote>
The branch main has been updated by garga:
=
=
URL: https://c= git.FreeBSD.org/ports/commit/?id=3Dacd6144c488bbe15cd81c41f14d9fb96636b4c1f<= /a>

=
commit acd6144c488bbe15cd81= c41f14d9fb96636b4c1f
Author:     Renat= o Botelho <garga@FreeBSD.org>
=
AuthorDate: 2023-0= 1-17 19:12:17 +0000
Commit:     Renat= o Botelho <garga@FreeBSD.org>
=
CommitDate: 2023-0= 1-17 19:13:51 +0000

=
  d= evel/git: Update to 2.39.1
=

&nbs= p; Security:       CVE-2022-41903<= br>
          &n= bsp;       CVE-2022-23521
<= blockquote type=3D"cite">
  Sponsored by:   Rubicon Communications, LLC ("= Netgate")
=
---
=
devel/git/Makefile=  |  2 +-
devel/git/distinfo  | 14 +++++++= -------
devel/git/pkg-plist | 10 ++++++++++
=
3 files changed, 18 insertions(+), 8 deletions(-)
=

Hello,

git seems to be unable to clone or pull over https after this u= pdate
unable to a= ccess 'http= s://git.freebsd.org/ports.git/': SSL certificate
=
problem: unable to get local issuer cert= ificate

=
Could you investigate?

Adding portmgr in cc: as t= his affects package builders.


Does installing ca-root-nss explicitly make a dif= ference?

=
ca_root_nss is ins= talled.
=
Using an old git pac= kage doesn't fix the issue,  maybe the problem is
in a dependency?

Going back from curl-7.87.0 to curl-7.86.0 seems to fix= the issue


Well, there was this


which unfortunately remained unans= wered.

It seems like disabling CA_BUNDLE by default= not only removes the dependency on ca_root_nss, but also disables a configu= ration option to look for certs in the right place:

> +CA_BUNDLE_CONFIGURE_WITH=3D    ca-bundle=3D${LOCALBASE}/sha= re/certs/ca-root-nss.crt

Michael

A lot of this was my fault... I emailed sunpoet a while back an= d pushed for removing CA_BUNDLE from OPTIONS_DEFAULT, as I felt like I spent= all day rebuilding my entire tree every time ca_root_nss got updated.
=

Perhap= s the right solution is to make CA_BUNDLE_CONFIGURE_WITH_OFF=3D ca-bundle=3D= /something/in/base?

I'm not clear whether base caroot= produces something equivalent to LOCALBASE/share/certs/ca-root-nss.crt.

# Ad= am


Personally I w= ould prefer to keep the option on, as I don=E2=80=99t want to depend on upda= ting the OS for getting a current set of trusted CAs. This definitely has th= e potential to surprise package consumers on upgrade.

May= be there is a way to prevent rebuilding dependencies when ca_root_nss change= s (it seems odd that it would go that, given ca_root_nss is only a runtime d= ependency of curl)?

Michael

= --Apple-Mail-07E13CD0-5A12-4144-A846-3928841DEFC2--