On Thu, Jan 14, 2016 at 02:54:31PM -0600, Kent R. Spillner wrote: > Are there any productivity/taskd users around? taskd is the sync server > for taskwarrior. > > Please note I'm not looking for OKs to commit this yet, I'm just looking > for feedback from users and porters. I think this still needs some > work before it's ready to be committed. > > Below is a diff that updates taskd to the latest release, v1.1.0. Most > of it is straightforward: > > * Most of our patches were accepted upstream (although apparently with > some slight modifications) so they go away > * I ported the changes from productivity/taskwarrior to use our libc's > uuid functions so the sysutils/e2fsprogs dependency goes away (which > was the main reason I started looking at this in the first place...) > * The changes to file/config remove a duplicate log line, remove the > client.allow config (see: > http://taskwarrior.org/docs/taskserver/upgrade.html) > add strict certificate validation, and only listen on the loopback > interface by default (note that taskd no longer supports the > wildcard so the previous value caused an error) > > Everything seems to be working with these changes. I have successfully > tested sync'ing locally using the taskwarrior package, and I have > tested sync'ing remotely from a Linux box. > > There are three things I'm struggling with: > * The pki/ scripts included with taskd just don't seem to work, but I'm > not sure if it's a problem with the scripts themselves or our > version of GNUTLS. In particular, they generate certs that fail > validation (on the client side I get an error message "certificate > signer constraints were violated," and on the server side I get an > error message "error in pull function). I had to manually generate > all of the certificates myself using a newer version of GNUTLS on a > Linux box. Should we patch them to get something that works on > OpenBSD, provide our own alternatives, or tell users how to manually > do everything themselves in pkg/README? > * The trust=strict in files/config is the recommended setting and makes > the most sense to me, but in light of the problems with the pki/ > scripts I wonder if perhaps we would want to relax cert validation? > > The third thing is that based on whatever we decide to do about the > other two things we'll need to show some love to pkg/README. I haven't > even started thinking about that yet because I wanted to get other > opinions about the first two issues. > > Thoughts? Comments? Questions? Obscenities? ;)
Here is a better diff based on feedback from aja. Still looking for feedback & suggestions regarding the pki/ scripts. Index: Makefile =================================================================== RCS file: /work/cvsroot/ports/productivity/taskd/Makefile,v retrieving revision 1.4 diff -p -u -r1.4 Makefile --- Makefile 25 Aug 2015 07:30:30 -0000 1.4 +++ Makefile 10 Nov 2015 22:20:31 -0000 @@ -2,9 +2,8 @@ COMMENT = lightweight server providing access to task data -DISTNAME = taskd-1.0.0 +DISTNAME = taskd-1.1.0 CATEGORIES = productivity net -REVISION = 1 HOMEPAGE = http://www.taskwarrior.org/ @@ -13,12 +12,15 @@ MASTER_SITES = ${HOMEPAGE}/download/ # MIT PERMIT_PACKAGE_CDROM = Yes -MODULES = devel/cmake +MODULES = gcc4 \ + devel/cmake -WANTLIB += c gnutls m pthread stdc++ uuid +MODGCC4_LANGS = c++ +MODGCC4_ARCHS = * -LIB_DEPENDS = security/gnutls \ - sysutils/e2fsprogs>=1.42.7 +WANTLIB += c gnutls m pthread + +LIB_DEPENDS = security/gnutls CONFIGURE_STYLE = cmake @@ -33,10 +35,13 @@ NO_TEST = Yes post-install: ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/taskd/pki/ - ${INSTALL_SCRIPT} ${WRKSRC}/pki/!(*.orig) \ + ${INSTALL_SCRIPT} ${WRKSRC}/pki/generate!(*.orig) \ + ${PREFIX}/share/examples/taskd/pki/ + ${INSTALL_DATA} ${WRKSRC}/pki/README \ ${PREFIX}/share/examples/taskd/pki/ + ${INSTALL_DATA} ${WRKSRC}/pki/vars \ + ${PREFIX}/share/examples/taskd/pki/vars.example ${SUBST_DATA} ${FILESDIR}/config \ ${PREFIX}/share/examples/taskd/config - ${INSTALL_DATA} ${FILESDIR}/vars.dist ${PREFIX}/share/examples/taskd/pki/ .include <bsd.port.mk> Index: distinfo =================================================================== RCS file: /work/cvsroot/ports/productivity/taskd/distinfo,v retrieving revision 1.1.1.1 diff -p -u -r1.1.1.1 distinfo --- distinfo 12 Jul 2014 22:08:35 -0000 1.1.1.1 +++ distinfo 10 Nov 2015 21:12:00 -0000 @@ -1,2 +1,2 @@ -SHA256 (taskd-1.0.0.tar.gz) = Fi7x7sSPgUWHDvDb4BIbeKbamYFbwYr3feB/uwq+AtA= -SIZE (taskd-1.0.0.tar.gz) = 128191 +SHA256 (taskd-1.1.0.tar.gz) = e4SI5oeXGuVnKf9OLlIJ/4gGz4zVdxi/1+UhvhMGIbQ= +SIZE (taskd-1.1.0.tar.gz) = 120115 Index: files/config =================================================================== RCS file: /work/cvsroot/ports/productivity/taskd/files/config,v retrieving revision 1.1.1.1 diff -p -u -r1.1.1.1 config --- files/config 12 Jul 2014 22:08:35 -0000 1.1.1.1 +++ files/config 14 Jan 2016 19:56:20 -0000 @@ -1,12 +1,12 @@ confirmation=1 extensions=${TRUEPREFIX}/libexec/taskd log=/var/log/taskd/taskd.log -log=/var/log/taskd/taskd.log pid.file=/var/run/taskd/taskd.pid queue.size=10 request.limit=1048576 root=/var/taskd -server=*:53589 +server=127.0.0.1:53589 +trust=strict verbose=1 client.cert=/var/taskd/client.cert.pem client.key=/var/taskd/client.key.pem @@ -14,4 +14,3 @@ server.cert=/var/taskd/server.cert.pem server.key=/var/taskd/server.key.pem server.crl=/var/taskd/server.crl.pem ca.cert=/var/taskd/ca.cert.pem -client.allow=^task [2-9] Index: files/vars.dist =================================================================== RCS file: files/vars.dist diff -N files/vars.dist --- files/vars.dist 12 Jul 2014 22:08:35 -0000 1.1.1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,9 +0,0 @@ -#dnsnames="example.com example.net" -#ipaddrs="10.11.12.13 10.20.30.40" -bits=4096 -expiration_days=365 -organization="Göteborg Bit Factory" -cn="Göteborg Bit Factory" -country=SE -state="Västra Götaland" -locality="Göteborg" Index: patches/patch-CMakeLists_txt =================================================================== RCS file: patches/patch-CMakeLists_txt diff -N patches/patch-CMakeLists_txt --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-CMakeLists_txt 10 Nov 2015 21:48:36 -0000 @@ -0,0 +1,25 @@ +$OpenBSD$ +--- CMakeLists.txt.orig Tue Nov 10 15:44:28 2015 ++++ CMakeLists.txt Tue Nov 10 15:44:54 2015 +@@ -115,10 +115,10 @@ if (GNUTLS_FOUND) + endif (GNUTLS_FOUND) + + message ("-- Looking for libuuid") +-if (DARWIN OR FREEBSD) ++if (DARWIN OR FREEBSD OR OPENBSD) + # Apple and FreeBSD include the uuid functions in their libc, rather than libuuid + check_function_exists (uuid_unparse_lower HAVE_UUID_UNPARSE_LOWER) +-else (DARWIN OR FREEBSD) ++else (DARWIN OR FREEBSD OR OPENBSD) + find_path (UUID_INCLUDE_DIR uuid/uuid.h) + find_library (UUID_LIBRARY NAMES uuid) + if (UUID_INCLUDE_DIR AND UUID_LIBRARY) +@@ -131,7 +131,7 @@ else (DARWIN OR FREEBSD) + else (UUID_INCLUDE_DIR AND UUID_LIBRARY) + message (FATAL_ERROR "-- libuuid not found.") + endif (UUID_INCLUDE_DIR AND UUID_LIBRARY) +-endif (DARWIN OR FREEBSD) ++endif (DARWIN OR FREEBSD OR OPENBSD) + + if (HAVE_UUID_UNPARSE_LOWER) + message ("-- Found libuuid") Index: patches/patch-pki_README =================================================================== RCS file: /work/cvsroot/ports/productivity/taskd/patches/patch-pki_README,v retrieving revision 1.1.1.1 diff -p -u -r1.1.1.1 patch-pki_README --- patches/patch-pki_README 12 Jul 2014 22:08:35 -0000 1.1.1.1 +++ patches/patch-pki_README 10 Nov 2015 21:35:18 -0000 @@ -1,6 +1,6 @@ $OpenBSD: patch-pki_README,v 1.1.1.1 2014/07/12 22:08:35 landry Exp $ ---- pki/README.orig Fri Jun 20 22:26:36 2014 -+++ pki/README Fri Jun 20 22:27:24 2014 +--- pki/README.orig Sun May 10 16:35:22 2015 ++++ pki/README Tue Nov 10 15:35:03 2015 @@ -21,7 +21,7 @@ and cert will not be trusted by anyone, for good reaso Note, you can inspect any cert with the command: @@ -10,3 +10,10 @@ $OpenBSD: patch-pki_README,v 1.1.1.1 201 There is a 'generate' script here that will perform the above steps. Take a look at it to see the individual steps it takes to generate the proper set of +@@ -32,5 +32,5 @@ chosen parameters. + + VAlidate a certificate with: + +- $ gnutls-certtool --verify --infile client.cert.pem --load-ca-certificate ca.cert.pem ++ $ certtool --verify --infile client.cert.pem --load-ca-certificate ca.cert.pem + Index: patches/patch-pki_generate =================================================================== RCS file: patches/patch-pki_generate diff -N patches/patch-pki_generate --- patches/patch-pki_generate 12 Jul 2014 22:08:35 -0000 1.1.1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,9 +0,0 @@ -$OpenBSD: patch-pki_generate,v 1.1.1.1 2014/07/12 22:08:35 landry Exp $ ---- pki/generate.orig Fri Jun 20 22:26:36 2014 -+++ pki/generate Fri Jun 20 21:52:57 2014 -@@ -1,4 +1,4 @@ --#!/bin/bash -+#!/bin/sh - - # For a public or production server, purchase a cert from a known CA, and skip - # the next step. Index: patches/patch-pki_generate_ca =================================================================== RCS file: patches/patch-pki_generate_ca diff -N patches/patch-pki_generate_ca --- patches/patch-pki_generate_ca 12 Jul 2014 22:08:35 -0000 1.1.1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,41 +0,0 @@ -$OpenBSD: patch-pki_generate_ca,v 1.1.1.1 2014/07/12 22:08:35 landry Exp $ ---- pki/generate.ca.orig Fri Jun 20 22:26:36 2014 -+++ pki/generate.ca Fri Jun 20 21:59:50 2014 -@@ -1,27 +1,30 @@ --#!/bin/bash -+#!/bin/sh - - # Take the correct binary to create the certificates --CERTTOOL=$(which gnutls-certtool || which certtool) -+CERTTOOL=$(which certtool) - if [[ -z "${CERTTOOL}" ]] - then - echo "ERROR: No certtool found" >&2 - exit 1 - fi - -+. ./vars -+ - # Create a CA key. - ${CERTTOOL} \ - --generate-privkey \ -+ --bits=$bits \ - --outfile ca.key.pem - - chmod 600 ca.key.pem - - # Sign a CA cert. - cat <<EOF >ca.info --organization = Göteborg Bit Factory --cn = Göteborg Bit Factory --country = SE --state = Västra Götaland --locality = Göteborg -+organization = $organization -+cn = $cn -+country = $country -+state = $state -+locality = $locality - ca - cert_signing_key - EOF Index: patches/patch-pki_generate_client =================================================================== RCS file: patches/patch-pki_generate_client diff -N patches/patch-pki_generate_client --- patches/patch-pki_generate_client 12 Jul 2014 22:08:35 -0000 1.1.1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,39 +0,0 @@ -$OpenBSD: patch-pki_generate_client,v 1.1.1.1 2014/07/12 22:08:35 landry Exp $ ---- pki/generate.client.orig Fri Jun 20 22:26:36 2014 -+++ pki/generate.client Fri Jun 20 22:00:23 2014 -@@ -1,4 +1,4 @@ --#!/bin/bash -+#!/bin/sh - - NAME=client - if [ $# -gt 0 ] ; then -@@ -6,23 +6,26 @@ if [ $# -gt 0 ] ; then - fi - - # Take the correct binary to create the certificates --CERTTOOL=$(which gnutls-certtool || which certtool) -+CERTTOOL=$(which certtool) - if [[ -z "${CERTTOOL}" ]] - then - echo "ERROR: No certtool found" >&2 - exit 1 - fi - -+. ./vars -+ - # Create a client key. - ${CERTTOOL} \ - --generate-privkey \ -+ --bits=$bits \ - --outfile ${NAME}.key.pem - - # Sign a client cert with the key. - chmod 600 ${NAME}.key.pem - cat <<EOF >client.info --organization = Göteborg Bit Factory --cn = Göteborg Bit Factory -+organization = $organization -+cn = $cn - tls_www_client - encryption_key - signing_key Index: patches/patch-pki_generate_crl =================================================================== RCS file: patches/patch-pki_generate_crl diff -N patches/patch-pki_generate_crl --- patches/patch-pki_generate_crl 12 Jul 2014 22:08:35 -0000 1.1.1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,21 +0,0 @@ -$OpenBSD: patch-pki_generate_crl,v 1.1.1.1 2014/07/12 22:08:35 landry Exp $ ---- pki/generate.crl.orig Fri Jun 20 22:26:36 2014 -+++ pki/generate.crl Fri Jun 20 22:00:47 2014 -@@ -1,12 +1,14 @@ --#!/bin/bash -+#!/bin/sh - -+. ./vars -+ - # CRL - Certificate Revocation List - cat <<EOF >crl.info --expiration_days = 365 -+expiration_days = $expiration_days - EOF - - # Take the correct binary to create the certificates --CERTTOOL=$(which gnutls-certtool || which certtool) -+CERTTOOL=$(which certtool) - if [[ -z "${CERTTOOL}" ]] - then - echo "ERROR: No certtool found" >&2 Index: patches/patch-pki_generate_server =================================================================== RCS file: patches/patch-pki_generate_server diff -N patches/patch-pki_generate_server --- patches/patch-pki_generate_server 12 Jul 2014 22:08:35 -0000 1.1.1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,48 +0,0 @@ -$OpenBSD: patch-pki_generate_server,v 1.1.1.1 2014/07/12 22:08:35 landry Exp $ ---- pki/generate.server.orig Wed Jan 15 23:47:49 2014 -+++ pki/generate.server Tue Jun 24 11:25:44 2014 -@@ -1,26 +1,38 @@ --#!/bin/bash -+#!/bin/sh - - # Take the correct binary to create the certificates --CERTTOOL=$(which gnutls-certtool || which certtool) -+CERTTOOL=$(which certtool) - if [[ -z "${CERTTOOL}" ]] - then - echo "ERROR: No certtool found" >&2 - exit 1 - fi - -+dnsnames="`hostname`" -+ipaddrs=$(for ip in `ifconfig -A | awk '/inet/ {print $2}' | egrep -v '(^::1$|^fe80:|^127\.)'` ; do -+ echo -n "$ip " -+done) -+ -+. ./vars -+ - # Create a server key. - ${CERTTOOL} \ - --generate-privkey \ -+ --bits=$bits \ - --outfile server.key.pem - - chmod 600 server.key.pem - - # Sign a server cert using the key. - cat <<EOF >server.info --organization = Göteborg Bit Factory --cn = Göteborg Bit Factory --dns_name = "tasktools.org" --ip_address = "97.107.141.107" -+organization = $organization -+cn = $cn -+$(for host in $dnsnames ; do -+ echo dns_name = $host -+done) -+$(for ip in $ipaddrs ; do -+ echo ip_address = $ip -+done) - tls_www_server - encryption_key - signing_key Index: patches/patch-src_util_cpp =================================================================== RCS file: patches/patch-src_util_cpp diff -N patches/patch-src_util_cpp --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_util_cpp 10 Nov 2015 21:48:30 -0000 @@ -0,0 +1,12 @@ +$OpenBSD$ +--- src/util.cpp.orig Tue Nov 10 15:46:44 2015 ++++ src/util.cpp Tue Nov 10 15:47:54 2015 +@@ -136,7 +136,7 @@ int autoComplete ( + // representation is always lowercase anyway. + // For the implementation details, refer to + // http://svnweb.freebsd.org/base/head/sys/kern/kern_uuid.c +-#ifdef FREEBSD ++#if defined(FREEBSD) || defined(OPENBSD) + const std::string uuid () + { + uuid_t id; Index: patches/patch-src_util_h =================================================================== RCS file: patches/patch-src_util_h diff -N patches/patch-src_util_h --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_util_h 10 Nov 2015 21:48:27 -0000 @@ -0,0 +1,12 @@ +$OpenBSD$ +--- src/util.h.orig Tue Nov 10 15:46:30 2015 ++++ src/util.h Tue Nov 10 15:45:58 2015 +@@ -29,7 +29,7 @@ + + #include <string> + #include <vector> +-#ifdef FREEBSD ++#if defined(FREEBSD) || defined(OPENBSD) + #include <uuid.h> + #else + #include <uuid/uuid.h> Index: pkg/PLIST =================================================================== RCS file: /work/cvsroot/ports/productivity/taskd/pkg/PLIST,v retrieving revision 1.2 diff -p -u -r1.2 PLIST --- pkg/PLIST 25 Aug 2015 07:30:30 -0000 1.2 +++ pkg/PLIST 15 Jan 2016 15:19:03 -0000 @@ -16,6 +16,7 @@ @bin bin/taskd bin/taskdctl @man man/man1/taskd.1 +@man man/man1/taskdctl.1 @man man/man5/taskdrc.5 share/examples/taskd/ share/examples/taskd/config @@ -34,7 +35,7 @@ share/examples/taskd/pki/generate.ca share/examples/taskd/pki/generate.client share/examples/taskd/pki/generate.crl share/examples/taskd/pki/generate.server -share/examples/taskd/pki/vars.dist +share/examples/taskd/pki/vars.example @sample share/examples/taskd/pki/vars share/taskd/ share/taskd/AUTHORS Index: pkg/taskd.rc =================================================================== RCS file: /work/cvsroot/ports/productivity/taskd/pkg/taskd.rc,v retrieving revision 1.1.1.1 diff -p -u -r1.1.1.1 taskd.rc --- pkg/taskd.rc 12 Jul 2014 22:08:35 -0000 1.1.1.1 +++ pkg/taskd.rc 15 Jan 2016 15:19:47 -0000 @@ -7,4 +7,8 @@ daemon_user="_taskd" . /etc/rc.d/rc.subr +rc_pre() { + install -d -o _taskd /var/run/taskd +} + rc_cmd $1
