#
357082 |
|
24-Jan-2020 |
kevans |
MFC r352948-r352951, r353002, r353066, r353070: caroot infrastructure
Infrastructure only -- no plans in place currently to commit any certs to these branches.
r352948: [1/3] Initial infrastructure for SSL root bundle in base
This setup will add the trusted certificates from the Mozilla NSS bundle to base.
This commit includes: - CAROOT option to opt out of installation of certs - mtree amendments for final destinations - infrastructure to fetch/update certs, along with instructions
A follow-up commit will add a certctl(8) utility to give the user control over trust specifics. Another follow-up commit will actually commit the initial result of updatecerts.
This work was done primarily by allanjude@, with minor contributions by myself.
r352949: [2/3] Add certctl(8)
This is a simple utility to hash all trusted on the system into /etc/ssl/certs. It also allows the user to blacklist certificates they do not trust.
This work was done primarily by allanjude@, with minor contributions by myself.
r352950: [3/3] etcupdate and mergemaster support for certctl
This commit add support for certctl in mergemaster and etcupdate. Both will either rehash or prompt for rehash as new certificates are trusted/blacklisted.
This work was done primarily by allanjude@, with minor contributions by myself.
r352951: caroot: add @generated tags to extracted .pem
As is the current trend; while these files are manually curated, they are still generated. If they end up in a review, it would be helpful to also take the hint and hide them.
r353002: Unbreak etcupdate(8) and mergemaster(8) after r352950
r352950 introduced improper case fall-through for shell scripts. Fix it with a pipe.
r353066: certctl(8): realpath the file before creating the symlink
Otherwise we end up creating broken relative symlinks in /etc/ssl/blacklisted.
r353070: certctl(8): let one blacklist based on hashed filenames
It seems reasonable to allow, for instance:
$ certctl list # reviews output -- ah, yeah, I don't trust that one $ certctl blacklist ce5e74ef.0 $ certctl rehash
We can unambiguously determine what cert "ce5e74ef.0" refers to, and we've described it to them in `certctl list` output -- I see little sense in forcing another level of filesystem inspection to determien what cert file this physically corresponds to.
Relnotes: yes
|
#
319189 |
|
30-May-2017 |
ngie |
MFC r314658:
crypto: normalize paths using SRCTOP-relative paths or :H when possible
This simplifies make logic/output
|
#
302408 |
|
07-Jul-2016 |
gjb |
Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle. Prune svn:mergeinfo from the new branch, as nothing has been merged here.
Additional commits post-branch will follow.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
#
297434 |
|
30-Mar-2016 |
bdrewery |
Remove the old depend (mkdep) code and make FAST_DEPEND the one true way.
Reviewed by: emaste, hselasky (partial), brooks (brief) Discussed on: arch@ Sponsored by: EMC / Isilon Storage Division Differential Revision: https://reviews.freebsd.org/D5742
|
#
289393 |
|
15-Oct-2015 |
bdrewery |
Add more SUBDIR_PARALLEL.
MFC after: 3 weeks Sponsored by: EMC / Isilon Storage Division
|
#
289378 |
|
15-Oct-2015 |
bdrewery |
Mark sub-make targets as .MAKE and .PHONY to handle -n and always-build properly.
MFC after: 1 week Sponsored by: EMC / Isilon Storage Division
|
#
265420 |
|
06-May-2014 |
imp |
Use src.opts.mk in preference to bsd.own.mk except where we need stuff from the latter.
|
#
264741 |
|
21-Apr-2014 |
jmmv |
Add placeholder Kyuafiles for various top-level hierarchies.
This change adds tests/ directories in the source tree to create various subdirectories in /usr/tests/ and to install placeholder Kyuafiles for them.
the relevant hierarchies are: cddl, etc, games, gnu and secure.
The reason for this is to simplify the addition of new test programs for utilities or libraries under any of these directories. Doing so on a case by case basis is unnecessary and is quite an obscure process.
|
#
264157 |
|
05-Apr-2014 |
imp |
Use MK_CRYPT=no in preference to WITHOUT_CRYPT here.
|
#
201210 |
|
29-Dec-2009 |
trasz |
Remove pppd, it's gone.
|
#
156813 |
|
17-Mar-2006 |
ru |
Reimplementation of world/kernel build options. For details, see:
http://lists.freebsd.org/pipermail/freebsd-current/2006-March/061725.html
The src.conf(5) manpage is to follow in a few days.
Brought to you by: imp, jhb, kris, phk, ru (all bugs are mine)
|
#
139113 |
|
21-Dec-2004 |
ru |
NOCRYPT -> NO_CRYPT
|
#
128833 |
|
02-May-2004 |
marcel |
Fix release builds (release.3 target). We also need to rebuild libradius, because otherwise it will remain having a dependency upon libssl. This breaks the non-crypto build that happens for release.3
While here, order the list of programs and libraries.
Speculating review feedback from: ru
|
#
124651 |
|
18-Jan-2004 |
ru |
Added two utility targets "secure" and "insecure", analogous to "kerberize" and "dekerberize" in kerberos5/Makefile. These can be used to recompile bits with optional crypto support with and without crypto, respectively.
Reviewed by: markm
|
#
124638 |
|
17-Jan-2004 |
ru |
Once upon a time we had both "crypto" and "krb5" distributions, and rebuilt some bits with crypto but without Kerberos support (most notably SSH) during "make release", to put them into the "crypto" distribution.
Now that we don't ship the separate "krb5" distribution anymore (it's now part of the "crypto" distribuion), don't waste time recompiling SSH bits without crypto and without Kerberos support in an attempt to put them in the "base" distribution -- it just doesn't work as SSH always uses crypto code.
We avoid this by not rebuilding KPROGS from kerberos5/Makefile in release/Makefile and adding "libpam" to SPROGS in secure/Makefile to ensure it's still rebuilt without crypto support for the "base" distribution. (Disabling crypto (NOCRYPT) also disables building of Kerberos-related PAM modules, and it's OK to depend on this.)
This should be a no-op change saving some "make release" time.
|
#
124633 |
|
17-Jan-2004 |
ru |
- Properly build both crypto and non-crypto versions of the package management tools.
- Drop redundant dependency of pkg_create(1) and pkg_delete(1) on crypto libraries now that they do not link with libfetch.
|
#
124607 |
|
17-Jan-2004 |
ru |
Removed well outdated comment.
|
#
117675 |
|
16-Jul-2003 |
markm |
Very big makeover in the way telnet, telnetd and libtelnet are built.
Previously, there were two copies of telnet; a non-crypto version that lived in the usual places, and a crypto version that lived in crypto/telnet/. The latter was built in a broken manner somewhat akin to other "contribified" sources. This meant that there were 4 telnets competing with each other at build time - KerberosIV, Kerberos5, plain-old-secure and base. KerberosIV is no longer in the running, but the other three took it in turns to jump all over each other during a "make buildworld".
As the crypto issue has been clarified, and crypto _calls_ are not a problem, crypto/telnet has been repo-copied to contrib/telnet, and with this commit, all telnets are now "contribified". The contrib path was chosen to not destroy history in the repository, and differs from other contrib/ entries in that it may be worked on as "normal" BSD code. There is no dangerous crypto in these sources, only a very weak system less strong than enigma(1).
Kerberos5 telnet and Secure telnet are now selected by using the usual macros in /etc/make.conf, and the build process is unsurprising and less treacherous.
|
#
115842 |
|
04-Jun-2003 |
markm |
Drop this MAINTAINER bit. I'll reclaim an "Advisory Maintainership" for this area later.
|
#
99770 |
|
11-Jul-2002 |
ru |
Removed the (never used) help-distribute target from here.
(Similar targets were once used during the release building process for kerberosIV and kerberos5.)
|
#
63249 |
|
16-Jul-2000 |
peter |
Forced commit. This is to try and help folks that used the international crypto repo and have slightly different files but with the same version. cvsup in 'checkout mode' has no trouble with this, but cvs can get really silly about it.
|
#
57437 |
|
24-Feb-2000 |
markm |
Build everything properly. This means:
o Don't b uild libdes.
o Crypto is now housed in libcrypto (with a compatability symlink to libdes)
o RSA may depend on RSAREF at your locale.
o OpenSSH is now a part of the base system.
|
#
51993 |
|
07-Oct-1999 |
markm |
Make telnet with SRA work.
Submitted by: Nick Sayer
|
#
50479 |
|
27-Aug-1999 |
peter |
$Id$ -> $FreeBSD$
|
#
49971 |
|
17-Aug-1999 |
markm |
Claim ownership
|
#
30113 |
|
05-Oct-1997 |
jkh |
Changes to support full make parallelism (-j<n>) in the world target. Reviewed by: <many different folks> Submitted by: Nickolay N. Dudorov" <nnd@nnd.itfs.nsk.su>
|
#
22990 |
|
22-Feb-1997 |
peter |
Revert $FreeBSD$ to $Id$
|
#
21673 |
|
14-Jan-1997 |
jkh |
Make the long-awaited change from $Id$ to $FreeBSD$
This will make a number of things easier in the future, as well as (finally!) avoiding the Id-smashing problem which has plagued developers for so long.
Boy, I'm glad we're not using sup anymore. This update would have been insane otherwise.
|
#
15615 |
|
04-May-1996 |
markm |
Add extra targets a' la' eBones/Makefile for release/Makefile. (bootstrap etc)
|
#
11074 |
|
29-Sep-1995 |
ache |
Remove duplicated targets which now build from main tree if available and allowed
|
#
9760 |
|
29-Jul-1995 |
markm |
After pst and ache fixed secure telnet, it was still not in the main makefiles. This puts it in.
PLEASE NOTE - YOU WILL NEED TO BUILD AND INSTALL THE libtelnet IN secure/ Reviewed by: Submitted by: Obtained from:
|
#
4485 |
|
14-Nov-1994 |
phk |
Make the "distribute" target build the "des" distribution. Make des'ed init and ed, by pointing to real sources.
|
#
2539 |
|
07-Sep-1994 |
pst |
Back out static hacks & build of usr.bin until Geoff informs the world of his master plan.
Submitted by: pst
|
#
2536 |
|
07-Sep-1994 |
pst |
Remove static in front of declarations for des_setkey and des_cipher so that linking against -lcrypt (-ldescrypt) will give us the good versions instead of the stubs in libc. (These changes need to be made to the non-US version of libdescrypt too!)
Allow building and support for bdes program. A bit more work still needs to be done on secure telnet.
Submitted by: pst
|
#
2044 |
|
12-Aug-1994 |
csgr |
1) don't make bdes yet 2) fix .include in secure/lib/Makefile.inc 3) fix afterinstall rule in libcrypt/Makefile Submitted by: Geoff Rehmet
|
#
1962 |
|
08-Aug-1994 |
csgr |
add lib subdir
|
#
1908 |
|
07-Aug-1994 |
wollman |
Allow the `bdes' program to compile.
|