357082 |
24-Jan-2020 |
kevans |
MFC r352948-r352951, r353002, r353066, r353070: caroot infrastructure
Infrastructure only -- no plans in place currently to commit any certs to these branches.
r352948: [1/3] Initial infrastructure for SSL root bundle in base
This setup will add the trusted certificates from the Mozilla NSS bundle to base.
This commit includes: - CAROOT option to opt out of installation of certs - mtree amendments for final destinations - infrastructure to fetch/update certs, along with instructions
A follow-up commit will add a certctl(8) utility to give the user control over trust specifics. Another follow-up commit will actually commit the initial result of updatecerts.
This work was done primarily by allanjude@, with minor contributions by myself.
r352949: [2/3] Add certctl(8)
This is a simple utility to hash all trusted on the system into /etc/ssl/certs. It also allows the user to blacklist certificates they do not trust.
This work was done primarily by allanjude@, with minor contributions by myself.
r352950: [3/3] etcupdate and mergemaster support for certctl
This commit add support for certctl in mergemaster and etcupdate. Both will either rehash or prompt for rehash as new certificates are trusted/blacklisted.
This work was done primarily by allanjude@, with minor contributions by myself.
r352951: caroot: add @generated tags to extracted .pem
As is the current trend; while these files are manually curated, they are still generated. If they end up in a review, it would be helpful to also take the hint and hide them.
r353002: Unbreak etcupdate(8) and mergemaster(8) after r352950
r352950 introduced improper case fall-through for shell scripts. Fix it with a pipe.
r353066: certctl(8): realpath the file before creating the symlink
Otherwise we end up creating broken relative symlinks in /etc/ssl/blacklisted.
r353070: certctl(8): let one blacklist based on hashed filenames
It seems reasonable to allow, for instance:
$ certctl list # reviews output -- ah, yeah, I don't trust that one $ certctl blacklist ce5e74ef.0 $ certctl rehash
We can unambiguously determine what cert "ce5e74ef.0" refers to, and we've described it to them in `certctl list` output -- I see little sense in forcing another level of filesystem inspection to determien what cert file this physically corresponds to.
Relnotes: yes |
307788 |
22-Oct-2016 |
bapt |
MFC r303784, r303785, r305620:
r303784: etcupdate: directly use diff3(1) instead of merge(1)
During the last attempt to rmeove GNU rcs, 2 blockers were spotted: We need an ident(1) and etcupdate(8) uses merge(1).
Now nothing should prevent to remove rcs from base
Reviewed by: jhb Differential Revision: https://reviews.freebsd.org/D7401
r303785: always install etcupdate
Now that etcupdate does not depend on rcs anymore there is no need to conditionnally install it
r305620: (by vangyzen ) etcupdate: preserve the metadata of the destination file
When using diff3 to perform a three-way merge, etcupdate lost the destination file's metadata. The metadata from the temporary file were used instead. This was unpleasant for rc.d scripts, which require execute permission. Use "cat >" to overwrite the destination file's contents while preserving its metadata.
Reviewed by: bapt Sponsored by: Dell Technologies Differential Revision: https://reviews.freebsd.org/D7817 |
299094 |
04-May-2016 |
ngie |
Merge ^/user/ngie/release-pkg-fix-tests to unbreak how test files are installed after r298107
Summary of changes:
- Replace all instances of FILES/TESTS with ${PACKAGE}FILES. This ensures that namespacing is kept with FILES appropriately, and that this shouldn't need to be repeated if the namespace changes -- only the definition of PACKAGE needs to be changed - Allow PACKAGE to be overridden by callers instead of forcing it to always be `tests`. In the event we get to the point where things can be split up enough in the base system, it would make more sense to group the tests with the blocks they're a part of, e.g. byacc with byacc-tests, etc - Remove PACKAGE definitions where possible, i.e. where FILES wasn't used previously. - Remove unnecessary TESTSPACKAGE definitions; this has been elided into bsd.tests.mk - Remove unnecessary BINDIRs used previously with ${PACKAGE}FILES; ${PACKAGE}FILESDIR is now automatically defined in bsd.test.mk. - Fix installation of files under data/ subdirectories in lib/libc/tests/hash and lib/libc/tests/net/getaddrinfo - Remove unnecessary .include <bsd.own.mk>s (some opportunistic cleanup)
Document the proposed changes in share/examples/tests/tests/... via examples so it's clear that ${PACKAGES}FILES is the suggested way forward in terms of replacing FILES. share/mk/bsd.README didn't seem like the appropriate method of communicating that info.
MFC after: never probably X-MFC with: r298107 PR: 209114 Relnotes: yes Tested with: buildworld, installworld, checkworld; buildworld, packageworld Sponsored by: EMC / Isilon Storage Division
|
298107 |
16-Apr-2016 |
gjb |
Merge the projects/release-pkg branch to head.
This allows packaging the base system with pkg(8), including but not limited to providing the ability to provide upstream binary update possibilities for non-tier-1 architectures.
This merge is a requirement of the 11.0-RELEASE, and as such, thank you to everyone that has tested the project branch.
Documentation in build(7) etc. is still somewhat sparse, but updates to those parts will follow.
Sponsored by: The FreeBSD Foundation
|
263226 |
16-Mar-2014 |
jmmv |
Migrate tools/regression/{usr.bin/lastcomm,usr.sbin}/ to the new tests layout.
This change was originally going to only migrate the usr.sbin tests but, as it turns out, the usr.sbin/sa/ tests require files from usr.bin/lastcomm/ so it's better to just also migrate the latter at the same time. The other usr.bin tests will be moved separately.
To make these tests work within the test suite, some of them have required changes to prevent modifying the source directory and instead just rely on the current directory for file manipulation.
|
258066 |
12-Nov-2013 |
jhb |
Add a pre-world mode of updating similar to the -p option that can be passed to mergemaster. In this mode, only changes to /etc/master.passwd and /etc/group are merged to /etc. In addition, it uses a temporary tree to stage these changes rather than overwriting the existing 'current' and 'previous' trees so that a full update can be run after a normal installworld has completed.
MFC after: 2 weeks
|
238423 |
13-Jul-2012 |
jhb |
The etcupdate utility is a tool for managing updates to files that are not updated as part of `make installworld' such as files in /etc. It manages updates by doing a three-way merge of changes made to these files against the local versions. It is also designed to minimize the amount of user intervention with the goal of simplifying upgrades for clusters of machines.
The primary difference from mergemaster is that etcupdate requires less manual work. The primary difference from etcmerge is that etcupdate updates files in-place similar to mergemaster rather than building a separate /etc tree.
Requested by: obrien, kib, theraven, joeld (among others)
|