[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netbsd-tech-userlevel
Subject:    Re: postinstall(8): Add opensslcerts item to regen /etc/openssl/certs.
From:       Taylor R Campbell <riastradh () NetBSD ! org>
Date:       2023-08-26 11:35:07
Message-ID: 20230826113507.D933660A28 () jupiter ! mumble ! net
[Download RAW message or body]

> Date: Sat, 26 Aug 2023 06:50:22 -0400
> From: Jason Thorpe <thorpej@me.com>
> 
> > On Aug 26, 2023, at 1:59 AM, Taylor R Campbell <riastradh@NetBSD.org> wrote:
> > 
> > postinstall(8): Add opensslcerts item to regen /etc/openssl/certs.
> > 
> > Works only with destdir /, since it relies on running openssl(1),
> > which is not available as a tool or required in the cross-build
> > environment.
> 
> Maybe there should be a boot-time check in an rc script for an
> out-of-date trust cache?

That would be reasonable, but I didn't want to create a new reason
requiring /etc to be writable during normal boot.

Right now, to keep it simple and reliable, certctl(8) works by
deleting /etc/openssl/certs and recreating it; there's no mechanism to
update /etc/openssl/certs incrementally or check whether it is out of
date.  So at the moment, `certctl rehash' always requires /etc to be
writable.

We could create a mechanism to check whether it is out of date (both
to check for missing symlinks and to check for extraneous symlinks and
to check for mismatched symlinks), and define a new command to invoke
it, and add new tests for it, and use that in an /etc/rc.d script.

It wouldn't hurt to have all that, but it's a bunch of extra work.
And the normal install (and upgrade) procedure always goes through
postinstall(8) anyway.  So that's where I started.
[prev in list] [next in list] [prev in thread] [next in thread]