svn commit: r355423 - head

Kyle Evans kevans at freebsd.org
Thu Dec 5 15:36:41 UTC 2019 

On Thu, Dec 5, 2019 at 9:32 AM Kyle Evans <kevans at freebsd.org> wrote:
>
> Author: kevans
> Date: Thu Dec  5 15:32:33 2019
> New Revision: 355423
> URL: https://svnweb.freebsd.org/changeset/base/355423
>
> Log:
>   UPDATING: Add long-belated note about certs in base
>
>   While the interaction between this and the ETCSYMLINK option of
>   security/ca_root_nss isn't necessarily fatal, one should be aware and
>   attempt to understand the ramifications of mixing the two.
>
>   ports-secteam will be contacted to discuss the default option for branches
>   where certs are being included in base.
>
> Modified:
>   head/UPDATING
>
> Modified: head/UPDATING
> ==============================================================================
> --- head/UPDATING       Thu Dec  5 15:21:13 2019        (r355422)
> +++ head/UPDATING       Thu Dec  5 15:32:33 2019        (r355423)
> @@ -26,6 +26,16 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 13.x IS SLOW:
>         disable the most expensive debugging functionality run
>         "ln -s 'abort:false,junk:false' /etc/malloc.conf".)
>
> +20191205:
> +       The root certificates of the Mozilla CA Certificate Store have been
> +       imported into the base system and can be managed with the certctl(8)
> +       utility.  If you have installed the security/ca_root_nss port or package
> +       with the ETCSYMLINK option (the default), be advised that there may be
> +       differences between those included in the port and those included in
> +       base due to differences in nss branch used as well as general update
> +       frequency.  Note also that certctl(8) cannot manage certs in the
> +       format used by the security/ca_root_nss port.
> +
>  20191120:
>         The amd(8) automount daemon has been disabled by default, and will be
>         removed in the future.  As of FreeBSD 10.1 the autofs(5) is available

CC'ing ports-secteam@ and jbeich at - I think it would make sense and be
A Good Thing(TM?) to go ahead and flip the default of ETCSYMLINK to
"off" for -CURRENT/13.0 now that certs should be effectively managed
in base and updated with etcupdate/mergemaster. Thoughts?

Thanks,

Kyle Evans

More information about the svn-src-all mailing list