svn commit: r360833 - head
Brooks Davis
brooks at freebsd.org
Tue May 12 22:16:10 UTC 2020
On Mon, May 11, 2020 at 01:45:14PM -0500, Kyle Evans wrote:
> On Mon, May 11, 2020 at 1:10 PM Brooks Davis <brooks at freebsd.org> wrote:
> >
> > On Sat, May 09, 2020 at 02:01:29AM +0000, Kyle Evans wrote:
> > > Author: kevans
> > > Date: Sat May 9 02:01:29 2020
> > > New Revision: 360833
> > > URL: https://svnweb.freebsd.org/changeset/base/360833
> > >
> > > Log:
> > > installworld: attempt a certctl rehash at the tail end
> > >
> > > This can be run as root or normal user with no problem; if they hadn't
> > > twisted the WITHOUT_CAROOT knob, we'll attempt to use the host certctl to
> > > rehash the DESTDIR. This would allow one to build systems WITHOUT_OPENSSL +
> > > WITH_CAROOT with a populated /etc/ssl that they can then use with an
> > > appropriate *ssl from somewhere else.
> > >
> > > Cross-builds are fine because this will always use the host certctl, or just
> > > nag if it's missing and it wasn't a WITHOUT_CAROOT build.
> > >
> > > MFC after: 1 week
> > > Differential Revision: https://reviews.freebsd.org/D24641
> > >
> > > Modified:
> > > head/Makefile.inc1
> > >
> > > Modified: head/Makefile.inc1
> > > ==============================================================================
> > > --- head/Makefile.inc1 Sat May 9 01:48:08 2020 (r360832)
> > > +++ head/Makefile.inc1 Sat May 9 02:01:29 2020 (r360833)
> > > @@ -1403,6 +1403,16 @@ distributeworld installworld stageworld: _installcheck
> > > ${DESTDIR}/${DISTDIR}/${dist}.debug.meta
> > > .endfor
> > > .endif
> > > +.elif make(installworld) && ${MK_CAROOT} != "no"
> > > + # We could make certctl a bootstrap tool, but it requires OpenSSL and
> > > + # friends, which we likely don't want. We'll rehash on a best-effort
> > > + # basis, otherwise we'll just mention that we're not doing it to raise
> > > + # awareness.
> > > + @if which certctl>/dev/null; then \
> > > + certctl rehash \
> >
> > Does this update METALOG with the added links?
> >
> > It seems a little weird to rely on DESTDIR from the environment.
> >
> > In general I'm not enthusiastic about additions to installworld that do
> > anything other than copying files, creating links, etc in simple ways.
>
> I will happily back this out if I can get some qualified eyes to
> review/improve it. It does not update METALOG, and it probably should.
> Agreed on DESTDIR. As for point #3, I guess we can continue spreading
> `certctl rehash` all over the tree in various points that may need it;
> the release(7) scripts will need to be done if we don't do it here at
> a minimum, and I haven't put much thought into it beyond that.
I'm not in a rush to back this out given that it's solving a real
problem, but lets talk about improvements.
I kind of feel like this belongs in distribution (which I think would
deal with release scripts) or in etcupdate/mergemaster, but I'm not
sure either of those are correct. I'd be happy to review changes to
update the METALOG (I guess we'd extend certctl with an option to do
that?) I think that's the most important things because we really
should be routinely validating that DESTDIR only contains things in the
METALOG. A quick and dirty fix for the DESTDIR weirdness might be adding
"env DESTDIR=${DESTDIR}" so it's explicit.
> The close-to-infuriating part of the caroot project has been that it's
> incredibly hard to get almost anyone else (with some obvious
> exceptions) to do more than informal discussion on the matter; actual
> review, in particular, is difficult to obtain.
Thanks for doing all this work! I'm afraid the whole thing gives me
third-rail vibes (not the idea or the implementation, but the potential
for things to go wrong) so I've veered away from the larger reviews. :(
-- Brooks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/svn-src-all/attachments/20200512/4fd88db8/attachment.sig>
More information about the svn-src-all
mailing list