On Mon, May 11, 2020 at 01:45:14PM -0500, Kyle Evans wrote: > On Mon, May 11, 2020 at 1:10 PM Brooks Davis <bro...@freebsd.org> wrote: > > > > On Sat, May 09, 2020 at 02:01:29AM +0000, Kyle Evans wrote: > > > Author: kevans > > > Date: Sat May 9 02:01:29 2020 > > > New Revision: 360833 > > > URL: https://svnweb.freebsd.org/changeset/base/360833 > > > > > > Log: > > > installworld: attempt a certctl rehash at the tail end > > > > > > This can be run as root or normal user with no problem; if they hadn't > > > twisted the WITHOUT_CAROOT knob, we'll attempt to use the host certctl > > > to > > > rehash the DESTDIR. This would allow one to build systems > > > WITHOUT_OPENSSL + > > > WITH_CAROOT with a populated /etc/ssl that they can then use with an > > > appropriate *ssl from somewhere else. > > > > > > Cross-builds are fine because this will always use the host certctl, or > > > just > > > nag if it's missing and it wasn't a WITHOUT_CAROOT build. > > > > > > MFC after: 1 week > > > Differential Revision: https://reviews.freebsd.org/D24641 > > > > > > Modified: > > > head/Makefile.inc1 > > > > > > Modified: head/Makefile.inc1 > > > ============================================================================== > > > --- head/Makefile.inc1 Sat May 9 01:48:08 2020 (r360832) > > > +++ head/Makefile.inc1 Sat May 9 02:01:29 2020 (r360833) > > > @@ -1403,6 +1403,16 @@ distributeworld installworld stageworld: > > > _installcheck > > > ${DESTDIR}/${DISTDIR}/${dist}.debug.meta > > > .endfor > > > .endif > > > +.elif make(installworld) && ${MK_CAROOT} != "no" > > > + # We could make certctl a bootstrap tool, but it requires OpenSSL > > > and > > > + # friends, which we likely don't want. We'll rehash on a > > > best-effort > > > + # basis, otherwise we'll just mention that we're not doing it to > > > raise > > > + # awareness. > > > + @if which certctl>/dev/null; then \ > > > + certctl rehash \ > > > > Does this update METALOG with the added links? > > > > It seems a little weird to rely on DESTDIR from the environment. > > > > In general I'm not enthusiastic about additions to installworld that do > > anything other than copying files, creating links, etc in simple ways. > > I will happily back this out if I can get some qualified eyes to > review/improve it. It does not update METALOG, and it probably should. > Agreed on DESTDIR. As for point #3, I guess we can continue spreading > `certctl rehash` all over the tree in various points that may need it; > the release(7) scripts will need to be done if we don't do it here at > a minimum, and I haven't put much thought into it beyond that.
I'm not in a rush to back this out given that it's solving a real problem, but lets talk about improvements. I kind of feel like this belongs in distribution (which I think would deal with release scripts) or in etcupdate/mergemaster, but I'm not sure either of those are correct. I'd be happy to review changes to update the METALOG (I guess we'd extend certctl with an option to do that?) I think that's the most important things because we really should be routinely validating that DESTDIR only contains things in the METALOG. A quick and dirty fix for the DESTDIR weirdness might be adding "env DESTDIR=${DESTDIR}" so it's explicit. > The close-to-infuriating part of the caroot project has been that it's > incredibly hard to get almost anyone else (with some obvious > exceptions) to do more than informal discussion on the matter; actual > review, in particular, is difficult to obtain. Thanks for doing all this work! I'm afraid the whole thing gives me third-rail vibes (not the idea or the implementation, but the potential for things to go wrong) so I've veered away from the larger reviews. :( -- Brooks
signature.asc
Description: PGP signature