PR#1: Move demo certificate Makefile + scripts into /usr/share/doc - rpms/openssl

rpms / openssl

#1 Move demo certificate Makefile + scripts into /usr/share/doc

Closed 6 years ago by tmraz. Opened 6 years ago by walters.

rpms/ walters/openssl make-no-make into master

Move demo certificate Makefile + scripts into /usr/share/doc

Colin Walters • 6 years ago

98cafe0

openssl.spec

file modified

+8 -8

		`@@ -74,7 +74,7 @@`
		`BuildRequires: /usr/bin/pod2man`
		`BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt)`
		`BuildRequires: perl(Module::Load::Conditional)`
		`- Requires: coreutils, make`
		`+ Requires: coreutils`
		`Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}`

		`%description`
		`@@ -292,7 +292,7 @@`
		`%install`
		`[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT`
		`# Install OpenSSL.`
		`- install -d $RPM_BUILD_ROOT{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl}`
		`+ install -d $RPM_BUILD_ROOT{%{_bindir},%{_includedir},%{_libdir},%{_pkgdocdir},%{_mandir},%{_libdir}/openssl}`
		`make DESTDIR=$RPM_BUILD_ROOT install`
		`rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion}`
		`for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do`
		`@@ -304,9 +304,9 @@`
		`# Install a makefile for generating keys and self-signed certs, and a script`
		`# for generating them on the fly.`
		`mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs`
		`- install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/Makefile`
		`- install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/make-dummy-cert`
		`- install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_bindir}/renew-dummy-cert`
		`+ install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_pkgdocdir}/Makefile.certificate`
		`+ install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_pkgdocdir}/make-dummy-cert`
		`+ install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_pkgdocdir}/renew-dummy-cert`

		`# Move runable perl scripts to bindir`
		`mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/*.pl $RPM_BUILD_ROOT%{_bindir}`
		`@@ -381,9 +381,9 @@`
		`%{!?_licensedir:%global license %%doc}`
		`%license LICENSE`
		`%doc FAQ NEWS README README.FIPS`
		`- %{_bindir}/make-dummy-cert`
		`- %{_bindir}/renew-dummy-cert`
		`- %{_sysconfdir}/pki/tls/certs/Makefile`
		`+ %{_pkgdocdir}/make-dummy-cert`
		`+ %{_pkgdocdir}/renew-dummy-cert`
		`+ %{_pkgdocdir}/Makefile.certificate`
		`%{_bindir}/openssl`
		`%{_mandir}/man1/`
		`%{_mandir}/man5/`

walters commented 6 years ago

These scripts have existed for a long time; the history dates past
the import from CVS.

Since then, a lot has changed; probably most notably is the existence
of Let's Encrypt. For private/internal
use cases, there are tons of other tools, such as
Dogtag
etc.

The Makefile introduces a dependency on make which is embarrassing
to include in Fedora Atomic Host by default (and particularly now
that GNU Make pulls in guile). For a bit of background on the make
dependency, see: RH bugzilla #783446

These scripts were never portable across distributions, so while I'm sure there
are some people out there using them, it's really time to basically deprecate
them and point people at more serious replacements. This is the first step in
that, by moving them into /usr/share/doc.

rebased onto 92659c99811ff93b726e17920437c50c3eb058f1

6 years ago

tmraz commented 6 years ago

Before merging we need to find out if/where are the current users of these scripts and makefile in the current Fedora. Then we need to notify them. Only after that it can be changed here.

rebased onto 98cafe0

6 years ago

walters commented 6 years ago

The referenced bz mentioned openldap, which appears to no longer generate certs at install time.

Edited 6 years ago by walters

adamwill commented 6 years ago

Trivia for fact fans!

That Makefile has been in (OPENSSLDIR)/certs since March 1, 2000 (our definition of OPENSSLDIR has changed a couple of times since, but the Makefile has always been in the certs subdirectory of that directory ever since then). It was probably never actually "the right" place for it, though, it's just been wrong for 17 years. See my epic TLS trust store post for more, specifically the section "Even more historical trivia: what the hell is the deal with Red Hat’s certs/ dir anyway?"

I would probably recommend finding some RH SSL/TLS old-timers and asking them if there are any major known users of this Makefile, since it sure has been in this (wrong) place for an awful long time. I suspect it's possible there's some huge RH customer relying on it or something. Doesn't mean we can't move it in Fedora, but we should do so carefully and make sure RHEL knows about the change and has the chance to choose whether to do something different.

tmraz commented 6 years ago

I would not be afraid of third party dependency too much. As we will not stop shipping the file but it will just be placed into other place. Changes like this in major downstream releases have to be expected. And of course we need to document that in the release notes of the future RHEL or so but that is a different question.

walters commented 6 years ago

☎ ?

walters commented 6 years ago

Hey, so our competition is explicitly beating us up on OS image size: https://www.ubuntu.com/core

Scroll down to the "Ubuntu Core vs CentOS Atomic". Getting smaller is only going to happen through small incremental steps like this.

Let's merge this into Fedora at least, and if there's any fallout we can consider backing it out or a different approach?

tmraz commented 6 years ago

So I've decided to keep the shell scripts, they might be useful for example for testing and removing them really does not present any image size improvements. I've moved the Makefile and dropped the requirement on make.