[prev in list] [next in list] [prev in thread] [next in thread]
List: netbsd-tech-userlevel
Subject: Re: postinstall(8): Add opensslcerts item to regen /etc/openssl/certs.
From: Taylor R Campbell <riastradh () NetBSD ! org>
Date: 2023-08-26 11:35:07
Message-ID: 20230826113507.D933660A28 () jupiter ! mumble ! net
[Download RAW message or body]
> Date: Sat, 26 Aug 2023 06:50:22 -0400
> From: Jason Thorpe <thorpej@me.com>
>
> > On Aug 26, 2023, at 1:59 AM, Taylor R Campbell <riastradh@NetBSD.org> wrote:
> >
> > postinstall(8): Add opensslcerts item to regen /etc/openssl/certs.
> >
> > Works only with destdir /, since it relies on running openssl(1),
> > which is not available as a tool or required in the cross-build
> > environment.
>
> Maybe there should be a boot-time check in an rc script for an
> out-of-date trust cache?
That would be reasonable, but I didn't want to create a new reason
requiring /etc to be writable during normal boot.
Right now, to keep it simple and reliable, certctl(8) works by
deleting /etc/openssl/certs and recreating it; there's no mechanism to
update /etc/openssl/certs incrementally or check whether it is out of
date. So at the moment, `certctl rehash' always requires /etc to be
writable.
We could create a mechanism to check whether it is out of date (both
to check for missing symlinks and to check for extraneous symlinks and
to check for mismatched symlinks), and define a new command to invoke
it, and add new tests for it, and use that in an /etc/rc.d script.
It wouldn't hurt to have all that, but it's a bunch of extra work.
And the normal install (and upgrade) procedure always goes through
postinstall(8) anyway. So that's where I started.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic