git: 03b792c59a52 - main - devel/arcanist-lib: Drop ca_root_nss dependency.

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Dag-Erling Smørgrav <des_at_FreeBSD.org>
Date: Thu, 05 Oct 2023 10:51:23 UTC
The branch main has been updated by des:

URL: https://cgit.FreeBSD.org/ports/commit/?id=03b792c59a52485ebf4a4bbb5675bc9b91df81a5

commit 03b792c59a52485ebf4a4bbb5675bc9b91df81a5
Author:     Dag-Erling Smørgrav <des@FreeBSD.org>
AuthorDate: 2023-10-05 10:51:00 +0000
Commit:     Dag-Erling Smørgrav <des@FreeBSD.org>
CommitDate: 2023-10-05 10:51:00 +0000

    devel/arcanist-lib: Drop ca_root_nss dependency.
    
    This was much harder than it needs to be, because Arcanist is dead set
    on forcing a CA bundle instead of letting curl pick one or use the OS
    native trust store.  Remove the enforced fallback and set CURL_CAINFO
    only if a CA bundle was explicitly configured or custom.pem was found
    on disk.  Furthermore, if the configured value is a directory, set
    CURL_CAPATH instead.
    
    MFH:            2023Q4
    Reviewed by:    grembo
    Differential Revision:  https://reviews.freebsd.org/D42042
---
 devel/arcanist-lib/Makefile                        |  6 +---
 .../files/patch-src_future_http_HTTPSFuture.php    | 41 ++++++++++++++++++++++
 devel/arcanist-lib/pkg-plist                       |  1 -
 3 files changed, 42 insertions(+), 6 deletions(-)

diff --git a/devel/arcanist-lib/Makefile b/devel/arcanist-lib/Makefile
index ca0fcf463952..15d9df7c0bf1 100644
--- a/devel/arcanist-lib/Makefile
+++ b/devel/arcanist-lib/Makefile
@@ -1,6 +1,6 @@
 PORTNAME?=	arcanist
 PORTVERSION?=	20220518
-PORTREVISION?=	4
+PORTREVISION?=	5
 CATEGORIES?=	devel
 PKGNAMESUFFIX=	${SLAVE_PKGNAMESUFFIX}${PHP_PKGNAMESUFFIX}
 
@@ -38,8 +38,6 @@ PLIST=		${.CURDIR}/pkg-plist
 .if ${SLAVEPORT} == lib
 SLAVE_PKGNAMESUFFIX=	-${SLAVEPORT}
 
-RUN_DEPENDS=	ca_root_nss>0:security/ca_root_nss
-
 OPTIONS_DEFINE=	ENCODINGS
 OPTIONS_DEFAULT=ENCODINGS
 ENCODINGS_DESC=	Support for encodings other than utf-8
@@ -82,8 +80,6 @@ do-install:
 	@${REINPLACE_CMD} \
 		's|%%PYTHON_CMD%%|${PYTHON_CMD}|g' \
 		${STAGEDIR}${PREFIX}/${PHP_DESTDIR}/src/workflow/ArcanistAnoidWorkflow.php
-	${LN} -sf ${LOCALBASE}/share/certs/ca-root-nss.crt \
-		${STAGEDIR}${PREFIX}/${PHP_DESTDIR}/resources/ssl/default.pem
 	${RLN} ${STAGEDIR}${PREFIX}/${PHP_DESTDIR}/support/shell/hooks/bash-completion.sh \
 		 ${STAGEDIR}${PREFIX}/share/bash-completion/completions/arc
 	${STAGEDIR}${PREFIX}/${PHP_DESTDIR}/bin/arc shell-complete --generate
diff --git a/devel/arcanist-lib/files/patch-src_future_http_HTTPSFuture.php b/devel/arcanist-lib/files/patch-src_future_http_HTTPSFuture.php
new file mode 100644
index 000000000000..4298c2616b8b
--- /dev/null
+++ b/devel/arcanist-lib/files/patch-src_future_http_HTTPSFuture.php
@@ -0,0 +1,41 @@
+--- src/future/http/HTTPSFuture.php.orig	2022-05-17 23:20:14 UTC
++++ src/future/http/HTTPSFuture.php
+@@ -375,31 +375,24 @@ final class HTTPSFuture extends BaseHTTPFuture {
+       //   means that the user wants to override everything (also because the
+       //   user might not have access to change the box's php.ini to add
+       //   curl.cainfo).
+-      // - Otherwise, try using curl.cainfo. If it's set explicitly, it's
+-      //   probably reasonable to try using it before we fall back to what
+-      //   libphutil ships with.
+-      // - Lastly, try the default that libphutil ships with. If it doesn't
+-      //   work, give up and yell at the user.
+ 
+       if (!$this->getCABundle()) {
+         $caroot = dirname(phutil_get_library_root('arcanist'));
+         $caroot = $caroot.'/resources/ssl/';
+-
+-        $ini_val = ini_get('curl.cainfo');
+         if (self::getGlobalCABundle()) {
+           $this->setCABundleFromPath(self::getGlobalCABundle());
+         } else if (Filesystem::pathExists($caroot.'custom.pem')) {
+           $this->setCABundleFromPath($caroot.'custom.pem');
+-        } else if ($ini_val) {
+-          // TODO: We can probably do a pathExists() here, even.
+-          $this->setCABundleFromPath($ini_val);
+-        } else {
+-          $this->setCABundleFromPath($caroot.'default.pem');
+         }
+       }
+ 
+-      if ($this->canSetCAInfo()) {
+-        curl_setopt($curl, CURLOPT_CAINFO, $this->getCABundle());
++      $ca_bundle = $this->getCABundle();
++      if ($ca_bundle && $this->canSetCAInfo()) {
++        if (is_dir($ca_bundle)) {
++          curl_setopt($curl, CURLOPT_CAPATH, $ca_bundle);
++        } else {
++          curl_setopt($curl, CURLOPT_CAINFO, $ca_bundle);
++        }
+       }
+ 
+       $verify_peer = 1;
diff --git a/devel/arcanist-lib/pkg-plist b/devel/arcanist-lib/pkg-plist
index f1b80cbfc2d9..c736efcb7ad0 100644
--- a/devel/arcanist-lib/pkg-plist
+++ b/devel/arcanist-lib/pkg-plist
@@ -17,7 +17,6 @@ lib/php/arcanist/resources/arclint/include-exclude.arclint.example
 lib/php/arcanist/resources/php/symbol-information.json
 lib/php/arcanist/resources/spelling/english.json
 lib/php/arcanist/resources/ssl/README
-lib/php/arcanist/resources/ssl/default.pem
 lib/php/arcanist/scripts/__init_script__.php
 lib/php/arcanist/scripts/arcanist.php
 lib/php/arcanist/scripts/hgdaemon/hgdaemon_client.php