Re: git: acd6144c488b - main - devel/git: Update to 2.39.1

From: Adam Weinberger <adamw_at_adamw.org>
Date: Thu, 19 Jan 2023 17:04:21 UTC
On Thu, Jan 19, 2023 at 1:42 AM Michael Gmelin <grembo@freebsd.org> wrote:

>
>
> On 19. Jan 2023, at 09:33, Antoine Brodin <antoine@freebsd.org> wrote:
>
> On Thu, Jan 19, 2023 at 8:22 AM Antoine Brodin <antoine@freebsd.org>
> wrote:
>
>
> On Thu, Jan 19, 2023 at 8:19 AM Antoine Brodin <antoine@freebsd.org>
> wrote:
>
>
> On Thu, Jan 19, 2023 at 7:55 AM Michael Gmelin <grembo@freebsd.org> wrote:
>
>
>
>
> On 19. Jan 2023, at 08:39, Antoine Brodin <antoine@freebsd.org> wrote:
>
>
> On Thu, Jan 19, 2023 at 7:38 AM Antoine Brodin <antoine@freebsd.org>
> wrote:
>
>
> On Tue, Jan 17, 2023 at 7:13 PM Renato Botelho <garga@freebsd.org> wrote:
>
>
> The branch main has been updated by garga:
>
>
> URL:
> https://cgit.FreeBSD.org/ports/commit/?id=acd6144c488bbe15cd81c41f14d9fb96636b4c1f
>
>
> commit acd6144c488bbe15cd81c41f14d9fb96636b4c1f
>
> Author:     Renato Botelho <garga@FreeBSD.org>
>
> AuthorDate: 2023-01-17 19:12:17 +0000
>
> Commit:     Renato Botelho <garga@FreeBSD.org>
>
> CommitDate: 2023-01-17 19:13:51 +0000
>
>
>   devel/git: Update to 2.39.1
>
>
>   Security:       CVE-2022-41903
>
>                   CVE-2022-23521
>
>   Sponsored by:   Rubicon Communications, LLC ("Netgate")
>
> ---
>
> devel/git/Makefile  |  2 +-
>
> devel/git/distinfo  | 14 +++++++-------
>
> devel/git/pkg-plist | 10 ++++++++++
>
> 3 files changed, 18 insertions(+), 8 deletions(-)
>
>
> Hello,
>
>
> git seems to be unable to clone or pull over https after this update
>
> unable to access 'https://git.freebsd.org/ports.git/': SSL certificate
>
> problem: unable to get local issuer certificate
>
>
> Could you investigate?
>
>
> Adding portmgr in cc: as this affects package builders.
>
>
>
> Does installing ca-root-nss explicitly make a difference?
>
>
> ca_root_nss is installed.
>
>
> Using an old git package doesn't fix the issue,  maybe the problem is
>
> in a dependency?
>
>
> Going back from curl-7.87.0 to curl-7.86.0 seems to fix the issue
>
>
> Well, there was this
>
>
> https://lists.freebsd.org/archives/dev-commits-ports-all/2023-January/049380.html
>
> which unfortunately remained unanswered.
>
> It seems like disabling CA_BUNDLE by default not only removes the
> dependency on ca_root_nss, but also disables a configuration option to look
> for certs in the right place:
>
> > +CA_BUNDLE_CONFIGURE_WITH=
>  ca-bundle=${LOCALBASE}/share/certs/ca-root-nss.crt
>
> Michael
>

A lot of this was my fault... I emailed sunpoet a while back and pushed for
removing CA_BUNDLE from OPTIONS_DEFAULT, as I felt like I spent all day
rebuilding my entire tree every time ca_root_nss got updated.

Perhaps the right solution is to make CA_BUNDLE_CONFIGURE_WITH_OFF=
ca-bundle=/something/in/base?

I'm not clear whether base caroot produces something equivalent to
LOCALBASE/share/certs/ca-root-nss.crt.

# Adam


-- 
Adam Weinberger
adamw@adamw.org
https://www.adamw.org