New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
acinclude.m4: improve autodetection of CA bundle on FreeBSD #894
Conversation
The FreeBSD Port security/ca_root_nss installs the Mozilla NSS CA bundle to /usr/local/share/certs/ca-root-nss.crt. Use this bundle in the discovery process.
While yours may have this (and so does mine) I assume there's a good reason |
There is no |
You've skirted my point, that's not proof it's not correct. Someone put it in there, I assume with good reason, and just because there's nothing in there that adds it now doesn't mean at some past point it wasn't valid. We have to support a wide array of systems, including legacy stuff. We should leave it unless we know it was a typo or something. You can put it above so the search order is like /usr/local/share/certs/ca-root-nss.crt FreeBSD git blame puts it at 304537c , anything to add @dfandrich ? |
That was a looong time ago and I'm not a regular FreeBSD user. I don't where
that ca-root.crt file came from but it's likely that was the only CA bundle I
found on the system I tested.
|
@jay This may be handcrafted on the system Dan used. No evidence for an old canocical location. The ports system is not tied to a FreeBSD version. All versions used the same ports. So if if you have 8.x, 9.x, 10.x, the CA bundle will be either in |
It's just not enough to convince me to remove it. I agree the nss bundle should be in the search. Distantly related: https://github.com/kennethreitz/requests/issues/2899 |
@jay This actually reflects what I am saying. If you do not know what this is for and don't want to remove it, lets keep it and tag as |
We do know what it's for, it's for older FreeBSD until proved otherwise. It shouldn't be |
@jay Here is the proof: The port was added 2007-07-06 and the |
That's not proof that ca-root.crt wasn't in use with older FreeBSD, it's just proof that ca-root-nss was added. Also see https://bugs.python.org/msg192601 |
I'll agree with @jay that the evidence seems to suggest that the path was used used at some point in time (up to 2008?). It seems safest to just add detection of the new path. |
@jay While I need to admit that you are right here, that there port has been removed the tree in 2008, no official FreeBSD version is available from that time and it is not available in the ports tree which means that with the next ports update, there won't be any update or the port will be removed. If you still insist on it, I can readd the all as |
For the record, revision 215953 removed the old port. This was 8 years ago. The last version to use this was FreeBSD 7.0-RELEASE. |
I changed my mind. 8 years is a very long time. Let's remove that legacy path. It would still be easy to work-around for anyone who's trapped with a legacy system from back then. |
Thanks for all the comments, work and input on this! |
The FreeBSD Port security/ca_root_nss installs the Mozilla NSS CA bundle to
/usr/local/share/certs/ca-root-nss.crt. Use this bundle in the discovery process.
configure
output:curl-config
output:Sample request: