Home | History | Annotate | Download | only in postinstall
History log of /src/usr.sbin/postinstall/postinstall.in
RevisionDateAuthorComments
 1.72  04-Jun-2025  rillig all: fix some "internal option -J" warnings from make
 1.71  27-Oct-2024  spz PR bin/58476: second half: be more selective with the strings to update
for blacklistd -> blocklistd
issue pointed out and patch supplied by Timo Buhrmester
 1.70  23-Oct-2024  rin postinstall: Do not obsolete 10-sub-pixel-rgb.conf

This file revived for fontconfig 2.14.1, and has been recognized
both as valid and obsoleted file at the same time.

Fix PR misc/57547 and PR bin/58406.

No release branches are affected.
 1.69  12-Oct-2024  uwe postinstall: obsolete_libs - update comment

... that mentions a variable name in an AWK script far, far away.
 1.68  12-Oct-2024  spz (typo) it used to be /var/db/blacklistd.db not /var/db/blacklist.db
 1.67  10-Oct-2024  uwe postinstall: get rid of exclude -t

exclude_libs() no longer uses it, so revert exclude() to what it was
before the -t was introduced.

It can probably be further improved, but I'm not sure why it needs
eval and why it wants to anchor at the beginning of the line only
(something to do with e.g. blocklist vs. blocklistd), and I don't have
time to investigate this properly at the moment.
 1.66  10-Oct-2024  uwe postinstall: simplify exclude_libs

Don't compose a baroque ERE to filter the list of libraries. grep can
match whole lines with -x so that takes care of the anchoring. And
grep can also take multiple patterns, one per line, as a single
argument - which the man page of our rather out of date version
doesn't adequately document.

While here describe the downgrade scenario that it is intended to
handle.
 1.65  10-Oct-2024  uwe postinstall: exclude_libs - use find/readlink instead of ls/awk

This doesn't only feels right, but also gets rid of a bogus empty line
in the list of targets (for all the files that are not symlinks).
 1.64  10-Oct-2024  uwe postinstall: clarify/simplify awk script in _obsolete_libs

Add comments and rename variables to better reflect their purpose.
Emit plain filenames, not absolute paths, b/c that's what exclude_libs
expects. While here explain what might trigger the exclude_libs
scenario (downgrades).

PR bin/58697: postinstall(8) removes non-obsolete compat libs
 1.63  05-Apr-2024  christos branches: 1.63.2;
remove dup named dir
 1.62  10-Mar-2024  rillig postinstall: fix parameter order in usage message
 1.61  09-Mar-2024  rillig postinstall: fix endless loop (since 2024-03-07)
 1.60  07-Mar-2024  christos no local in loops, simplify eval (thanks kre)
 1.59  07-Mar-2024  christos - fix named.conf (remove dnssec-enable option)
- use proper local variables instead of adding _ or other prefixes.
- centralize rm use
- use grep -q instead of > /dev/null
- reduce constant duplication
 1.58  29-Jan-2024  riastradh postinstall(8): Don't say /etc/openssl/certs.conf already exists.

It's confusing when all the other `postinstall fix' actions are
silent in the event they don't have anything to do.

PR install/57885
 1.57  18-Oct-2023  riastradh postinstall(8): Use /usr/sbin/certctl.

Obviates need to have /usr/sbin in PATH when running this.

XXX pullup-10
 1.56  06-Sep-2023  riastradh postinstall(8): Modify default certs.conf.

When manually configured /etc/openssl/certs is detected, just
uncomment the `#manual' line in the default certs.conf rather than
writing a new one. That way, you can switch to certctl-managed and
still get the default path by just deleting /etc/openssl/certs and
re-commenting the `manual' line.
 1.55  03-Sep-2023  riastradh postinstall(8): Handle various certs.conf scenarios gracefully.

Tested the following scenarios:

1. fresh install
empty /etc/openssl/certs
default /etc/openssl/certs.conf
- opensslcertsconf
[x] check: pass
[x] fix: pass -- nothing
- opensslcertsrehash
[x] check: fail -- needs rehash
[x] fix: pass -- quietly rehash successfully (go to 4)

2. fresh upgrade
empty /etc/openssl/certs
no /etc/openssl/certs.conf
- opensslcertsconf
[x] check: fail -- complain missing /etc/openssl/certs.conf
[x] fix: pass -- install default /etc/openssl/certs.conf (go to 1)
- opensslcertsrehash
[x] check: fail -- complain missing /etc/openssl/certs.conf
- [x] fix: fail -- complain missing /etc/openssl/certs.conf

3. upgrade from certctl, changes to certs
certctl-managed /etc/openssl/certs
default /etc/openssl/certs.conf
- opensslcertsconf
[x] check: pass
[x] fix: pass -- nothing
- opensslcertsrehash
[x] check: fail -- needs rehash
[x] fix: pass -- quietly rehash successfully (go to 4)

4. upgrade from certctl, no changes to certs
certctl-managed /etc/openssl/certs
default /etc/openssl/certs.conf
- opensslcertsconf
[x] check: pass
[x] fix: pass -- nothing
- opensslcertsrehash
[x] check: pass
[x] fix: pass -- quietly rehash successfully (go to 4)

5. upgrade from mozilla-rootcerts
populated /etc/openssl/certs
no /etc/openssl/certs.conf
- opensslcertsconf:
[x] check: fail -- complain missing /etc/openssl/certs.conf
[x] fix: pass -- install manual /etc/openssl/certs.conf (go to 7)
- opensslcertsrehash:
[x] check: fail -- complain missing /etc/openssl/certs.conf
[x] fix: fail -- complain missing /etc/openssl/certs.conf

6. upgrade from mozilla-rootcerts with etcupdate naively
populated /etc/openssl/certs
default /etc/openssl/certs.conf
- opensslcertsconf:
[x] check: pass
[x] fix: pass -- nothing
- opensslcertsrehash:
[x] check: fail -- complain mismatched certs/ and certs.conf
[x] fix: fail -- complain mismatched certs/ and certs.conf

7. upgrade from mozilla-rootcerts with etcupdate manually
populated /etc/openssl/certs
manual /etc/openssl/certs.conf
- opensslcertsconf:
[x] check: pass
[x] fix: pass -- nothing
- opensslcertsrehash:
[x] check: pass
[x] fix: pass -- skip rehash because manual (go to 7)

XXX Someone should draft automatic tests for postinstall. It has a
very good track record, but it sure would be nice to automate this
testing rather than redo it each time I make a tiny change.
 1.54  28-Aug-2023  riastradh postinstall(8): Fail if `certctl rehash' fails.

Not using `set -e' here, evidently (maybe we should), so the separate
return 0 suppressed the error.
 1.53  26-Aug-2023  riastradh postinstall(8): Add opensslcerts item to regen /etc/openssl/certs.

Works only with destdir /, since it relies on running openssl(1),
which is not available as a tool or required in the cross-build
environment.
 1.52  21-Jun-2023  mrg adjust for new fontconfig files.
 1.51  29-May-2022  andvar branches: 1.51.2;
fix various typos in comments and log messages.
 1.50  08-Jan-2022  lukem postinstall: improve -s usage

Reword -s SRC_ARG to be a bit clearer as to the variations, and sync
more with postinstall(8).
 1.49  08-Jan-2022  lukem postinstall: tweak -a and -m usage
 1.48  08-Jan-2022  lukem postinstall: add -? to usage
 1.47  08-Jan-2022  lukem postinstall: add -?. improve option errors

Support -? to show help.
Implemented using getopts "leading colon optstring" feature.
Improve error messages for unknown options and missing arguments.
 1.46  08-Jan-2022  lukem postinstall: usage improvements

Show options alphabetically.
Use UPPER_CASE instead of lowercase as the convention for argument names.
Provide per-OPERATION argument usage.
Implement options alphabetically.
 1.45  08-Jan-2022  lukem postinstall: improve validation and help

Validate the operation and items before extracting any etc.tgz,
so that help or errors are displayed quicker, for a better user
experience.

Style:
- Rename todo to ITEMS.
- Order processing of list after check.
- Ensure DIFF_OPT is initialised, for consistency.
 1.44  08-Jan-2022  lukem postinstall: style tweaks

Fix ... in comments and internal errors.
Sort variables declared at top of main(), for easier review.
 1.43  08-Jan-2022  lukem postinstall: help to stdout. usage tweaks

When invoked as "help" or "usage", send the usage to stdout
instead of stderr, so that it's easier to pipe to a pager.

Explicitly warn that the operation is missing.

Tweak the usage; "operation" instead of "op", no need for [] around ...
 1.42  07-Jan-2022  lukem postinstall: fix x11 migration of /usr/X11R6/lib/X11

Fix the x11 check if /usr/X11R6/lib/X11/* needs to migrate to /etc/X11/*
by ensuring that the former actually is detected.

Avoids false migration errors for paths such as /fs if /usr/X11R6
doesn't exist, such as:
x11 check:
Migrate /fs to /etc/X11/fs

The original implemention handled this correctly, but the bug
crept in postinstall 1.110 on 2010/11/21.
 1.41  21-Aug-2021  andvar s/accidentaly/accidentally/
 1.40  21-Aug-2021  andvar s/helt/held+s/eroneously/erroneously/+s/splitted/split/+s/recommented/recommended/
 1.39  07-Jun-2021  mlelstv Don't overwrite changed autofs config files.
 1.38  25-Apr-2021  lukem postinstall: re-align list output
 1.37  25-Apr-2021  lukem postinstall: sort the items. keep obsolete* last

Consistency and quality of life improvements to postinstall:

Order all of the items (including disabled) alphabetically.
Consistent comment style before each item block.
Move other functions used by do_*() before rather than after do_*().
 1.36  25-Apr-2021  lukem postinstall: comment and usage style

Use NOTE: for comments to be aware of.
Remove double space before "fix|check" in some items.
 1.35  25-Apr-2021  lukem postinstall: ensure SRC_DIR and DEST_DIR are quoted
 1.34  25-Apr-2021  lukem postinstall: use correct DEST_DIR in obsolete_stand
 1.33  28-Aug-2020  christos missing quote
 1.32  28-Aug-2020  christos Restrict npf.conf fixes to "blacklistd" -> "blocklistd"
 1.31  07-Jul-2020  simonb Sort missing IDs (users and groups) by the numeric ID.
 1.30  29-Jun-2020  riastradh Nix trailing whitespace.
 1.29  22-Jun-2020  rin Fix do_blocklist:
- Respect destination directory specified by -d option.
- Accept check and fix options. For the former, do not modify anything as
users normally expect.
 1.28  20-Jun-2020  riastradh Nix trailing whitespace.
 1.27  15-Jun-2020  christos handle /etc/blacklistd.conf
 1.26  15-Jun-2020  christos correct blocklist script
- removal of rc file is handled by obsolete
- use grep to find if we need more changes
- fix rc population
 1.25  15-Jun-2020  christos fix reversed mv, pointed out by wiz@
 1.24  15-Jun-2020  christos deal with blacklist -> blocklist
 1.23  03-Jun-2020  roy Ensure the dhcpcd log socket is removed.
 1.22  31-May-2020  roy postinstall: Move files out of dhcpcd chroot
 1.21  15-May-2020  christos Add a function to remove the debug bits of the stand files.
 1.20  19-Apr-2020  roy postinstall: ensure contents_owner fix fails on find errors

The issue is that find won't pass anything to xargs and that returns 0.
So replace the usage of xargs with -exec.
 1.19  09-Apr-2020  roy branches: 1.19.2;
Fix dhcpcd $DEST_DIR support
 1.18  06-Apr-2020  roy postinstall: fix contents_owner to return an error on error

find returning nothing via stdout but does return an error is an error.
Fixes the case where dhcpcd chroot db directory isn't owned by _dhcpcd.
 1.17  02-Apr-2020  roy postinstall: add checks for _dhcpcd to do_uid and do_gid

Thanks to jmcneill@
 1.16  02-Apr-2020  roy postinstall: move dhcpcd files to the chroot
 1.15  25-Feb-2020  nakayama Fix the fixup script to follow the URL change in /etc/motd (http->https).

PR install/54990, pullup-9
 1.14  30-Jan-2020  christos change the autofs file to be user writable.
 1.13  30-Jan-2020  christos populate autofs files
 1.12  29-Dec-2019  tsutsui Make sure rc, rc.subr, and rc.shutdown are properly updated.

Currently there is no info which rc* files should be updated
or not on upgrade (at least rc.conf and rc.local shouldn't),
so put back an explicit list in the postinstall script.
"Go for it" by christos@ in PR/54741.

Should be pulled up to netbsd-9.
 1.11  22-Dec-2019  christos PR/54730: Izumi Tsutsui: obsolete etc files are not being cleaned up on
an upgrade build.
 1.10  04-Dec-2019  christos PR/54730: Izumi Tsutsui: Use /var/db/obsolete/<set> to remove obsolete rc.d
files when not in $SOURCEMODE.
 1.9  12-Nov-2019  christos remove debugging.
 1.8  30-Oct-2019  prlw1 Add nvmm group.
 1.7  24-Sep-2019  nakayama Add ${DEST_DIR} prefix to check target directory not host directory.
 1.6  12-Sep-2019  uwe exclude_libs - redirect ls 2> /dev/null so that the user is not
spammed with errors for directories without any libraries; the most
common case in the wild would be empty /usr/libdata/debug. Add -d to
ls for good measure while here.
 1.5  15-Jun-2019  christos branches: 1.5.2;
exclude shared libraries that are currently in use from removal.
 1.4  14-Jun-2019  christos cleanup obsolete file selection from sets and refactor font synchronization.
The font config files are not in sets, so they are still hard-coded.
 1.3  14-Jun-2019  christos select the powerd scripts from the sets
 1.2  14-Jun-2019  christos make the script MI again (same across all archs)
 1.1  14-Jun-2019  christos build dynamically the list of compat archsubdirs.
 1.5.2.6  11-Mar-2024  martin Pull up following revision(s) (requested by christos in ticket #1813):

etc/named.conf: revision 1.11
usr.sbin/postinstall/postinstall.in: revision 1.59
external/mpl/bind/dist/lib/isc/netmgr/netmgr-int.h: revision 1.11

Make sure that the extra field is maximally aligned since it is used for
other struct storage.
- fix named.conf (remove dnssec-enable option)
- use proper local variables instead of adding _ or other prefixes.
- centralize rm use
- use grep -q instead of > /dev/null
- reduce constant duplication

remove obsolete option "dnssec-enable"
 1.5.2.5  07-Jul-2020  martin Pull up following revision(s) (requested by simonb in ticket #989):

usr.sbin/postinstall/postinstall.in: revision 1.31

Sort missing IDs (users and groups) by the numeric ID.
 1.5.2.4  27-Feb-2020  martin Pull up following revision(s) (requested by nakayama in ticket #738):

usr.sbin/postinstall/postinstall.in: revision 1.15

Fix the fixup script to follow the URL change in /etc/motd (http->https).
PR install/54990, pullup-9
 1.5.2.3  02-Jan-2020  martin Pull up following revision(s) (requested by tsutsui in ticket #592):

usr.sbin/postinstall/postinstall.in: revision 1.9
usr.sbin/postinstall/postinstall.in: revision 1.10
usr.sbin/postinstall/postinstall.in: revision 1.11
usr.sbin/postinstall/postinstall.in: revision 1.12

remove debugging.

PR/54730: Izumi Tsutsui: Use /var/db/obsolete/<set> to remove obsolete rc.d
files when not in $SOURCEMODE.


PR/54730: Izumi Tsutsui: obsolete etc files are not being cleaned up on
an upgrade build.

Make sure rc, rc.subr, and rc.shutdown are properly updated.

Currently there is no info which rc* files should be updated
or not on upgrade (at least rc.conf and rc.local shouldn't),
so put back an explicit list in the postinstall script.
"Go for it" by christos@ in PR/54741.

Should be pulled up to netbsd-9.
 1.5.2.2  10-Nov-2019  martin Pull up following revision(s) (requested by maxv in ticket #405):

usr.sbin/nvmmctl/nvmmctl.8: revision 1.2
lib/libnvmm/libnvmm.3: revision 1.24
sys/dev/nvmm/nvmm.h: revision 1.11
lib/libnvmm/libnvmm.3: revision 1.25
sys/dev/nvmm/x86/nvmm_x86.h: revision 1.16
sys/dev/nvmm/nvmm.h: revision 1.12
sys/dev/nvmm/x86/nvmm_x86.h: revision 1.17
tests/lib/libnvmm/h_mem_assist.c: revision 1.12
sys/dev/nvmm/x86/nvmm_x86.h: revision 1.18
share/mk/bsd.hostprog.mk: revision 1.82
lib/libnvmm/libnvmm.c: revision 1.15
distrib/sets/lists/base/md.amd64: revision 1.281
tests/lib/libnvmm/h_mem_assist.c: revision 1.13
lib/libnvmm/libnvmm.c: revision 1.16
tests/lib/libnvmm/h_mem_assist.c: revision 1.14
lib/libnvmm/libnvmm_x86.c: revision 1.32
lib/libnvmm/libnvmm.c: revision 1.17
tests/lib/libnvmm/h_mem_assist.c: revision 1.15
lib/libnvmm/libnvmm_x86.c: revision 1.33
lib/libnvmm/libnvmm.c: revision 1.18
usr.sbin/nvmmctl/Makefile: revision 1.1
tests/lib/libnvmm/h_mem_assist_asm.S: revision 1.7
tests/lib/libnvmm/h_mem_assist.c: revision 1.16
lib/libnvmm/libnvmm_x86.c: revision 1.34
usr.sbin/nvmmctl/Makefile: revision 1.2
tests/lib/libnvmm/h_mem_assist_asm.S: revision 1.8
tests/lib/libnvmm/h_mem_assist.c: revision 1.17
sys/dev/nvmm/nvmm_internal.h: revision 1.13
lib/libnvmm/libnvmm_x86.c: revision 1.35
lib/libnvmm/libnvmm_x86.c: revision 1.36
usr.sbin/postinstall/postinstall.in: revision 1.8
lib/libnvmm/libnvmm_x86.c: revision 1.37
lib/libnvmm/libnvmm_x86.c: revision 1.38
lib/libnvmm/libnvmm_x86.c: revision 1.39
usr.sbin/Makefile: revision 1.282
lib/libnvmm/nvmm.h: revision 1.13
lib/libnvmm/nvmm.h: revision 1.14
lib/libnvmm/nvmm.h: revision 1.15
sys/dev/nvmm/nvmm.c: revision 1.23
lib/libnvmm/nvmm.h: revision 1.16
sys/dev/nvmm/nvmm.c: revision 1.24
lib/libnvmm/nvmm.h: revision 1.17
sys/dev/nvmm/nvmm.c: revision 1.25
tests/lib/libnvmm/h_io_assist.c: revision 1.9
etc/MAKEDEV.tmpl: revision 1.209
tests/lib/libnvmm/h_io_assist.c: revision 1.10
tests/lib/libnvmm/h_io_assist.c: revision 1.11
etc/group: revision 1.35
distrib/sets/lists/man/mi: revision 1.1660
sys/dev/nvmm/x86/nvmm_x86_vmx.c: revision 1.40
sys/dev/nvmm/x86/nvmm_x86_vmx.c: revision 1.41
sys/dev/nvmm/x86/nvmm_x86_vmx.c: revision 1.42
sys/dev/nvmm/x86/nvmm_x86_vmx.c: revision 1.43
sys/dev/nvmm/x86/nvmm_x86_vmx.c: revision 1.44
sys/dev/nvmm/x86/nvmm_x86_svm.c: revision 1.51
sys/dev/nvmm/nvmm_ioctl.h: revision 1.8
sys/dev/nvmm/x86/nvmm_x86_svm.c: revision 1.52
sys/dev/nvmm/nvmm_ioctl.h: revision 1.9
sys/dev/nvmm/x86/nvmm_x86_svm.c: revision 1.53
usr.sbin/nvmmctl/nvmmctl.c: revision 1.1
lib/libnvmm/libnvmm.3: revision 1.20
distrib/sets/lists/debug/md.amd64: revision 1.106
lib/libnvmm/libnvmm.3: revision 1.21
lib/libnvmm/libnvmm.3: revision 1.22
usr.sbin/nvmmctl/nvmmctl.8: revision 1.1
lib/libnvmm/libnvmm.3: revision 1.23

Fix incorrect parsing: the R/M field uses a special GPR map when the
address size is 16 bits, regardless of the actual operating mode. With
this special map there can be two registers referenced at once, and
also disp16-only.
Implement this special behavior, and add associated tests. While here
simplify a few things.
With this in place, the Windows 95 installer initializes correctly.
Part of PR/54611.
add missing initializer
Implement XCHG, add associated tests, and add comments to explain. With
this in place the Windows 95 installer completes successfuly.
Part of PR/54611.
Improve nvmm_vcpu_dump().
Put back 'default', because llvm apparently doesn't realize that all cases
are covered in the switch.
Miscellaneous changes in NVMM, to address several inconsistencies and
issues in the libnvmm API.
- Rename NVMM_CAPABILITY_VERSION to NVMM_KERN_VERSION, and check it in
libnvmm. Introduce NVMM_USER_VERSION, for future use.
- In libnvmm, open "/dev/nvmm" as read-only and with O_CLOEXEC. This is to
avoid sharing the VMs with the children if the process forks. In the
NVMM driver, force O_CLOEXEC on open().
- Rename the following things for consistency:
nvmm_exit* -> nvmm_vcpu_exit*
nvmm_event* -> nvmm_vcpu_event*
NVMM_EXIT_* -> NVMM_VCPU_EXIT_*
NVMM_EVENT_INTERRUPT_HW -> NVMM_VCPU_EVENT_INTR
NVMM_EVENT_EXCEPTION -> NVMM_VCPU_EVENT_EXCP
Delete NVMM_EVENT_INTERRUPT_SW, unused already.
- Slightly reorganize the MI/MD definitions, for internal clarity.
- Split NVMM_VCPU_EXIT_MSR in two: NVMM_VCPU_EXIT_{RD,WR}MSR. Also provide
separate u.rdmsr and u.wrmsr fields. This is more consistent with the
other exit reasons.
- Change the types of several variables:
event.type enum -> u_int
event.vector uint64_t -> uint8_t
exit.u.*msr.msr: uint64_t -> uint32_t
exit.u.io.type: enum -> bool
exit.u.io.seg: int -> int8_t
cap.arch.mxcsr_mask: uint64_t -> uint32_t
cap.arch.conf_cpuid_maxops: uint64_t -> uint32_t
- Delete NVMM_VCPU_EXIT_MWAIT_COND, it is AMD-only and confusing, and we
already intercept 'monitor' so it is never armed.
- Introduce vmx_exit_insn() for NVMM-Intel, similar to svm_exit_insn().
The 'npc' field wasn't getting filled properly during certain VMEXITs.
- Introduce nvmm_vcpu_configure(). Similar to nvmm_machine_configure(),
but as its name indicates, the configuration is per-VCPU and not per-VM.
Migrate and rename NVMM_MACH_CONF_X86_CPUID to NVMM_VCPU_CONF_CPUID.
This becomes per-VCPU, which makes more sense than per-VM.
- Extend the NVMM_VCPU_CONF_CPUID conf to allow triggering VMEXITs on
specific leaves. Until now we could only mask the leaves. An uint32_t
is added in the structure:
uint32_t mask:1;
uint32_t exit:1;
uint32_t rsvd:30;
The two first bits select the desired behavior on the leaf. Specifying
zero on both resets the leaf to the default behavior. The new
NVMM_VCPU_EXIT_CPUID exit reason is added.
Three changes in libnvmm:
- Add 'mach' and 'vcpu' backpointers in the nvmm_io and nvmm_mem
structures.
- Rename 'nvmm_callbacks' to 'nvmm_assist_callbacks'.
- Rename and migrate NVMM_MACH_CONF_CALLBACKS to NVMM_VCPU_CONF_CALLBACKS,
it now becomes per-VCPU.
Update the libnvmm man page:
- Sync the naming with reality.
- Replace "relevant" by "desired" and "virtualizer" by "emulator", closer
to what I meant.
- Add a "VCPU Configuration" section.
- Add a "Machine Ownership" section.
Add the "nvmm" group, and make nvmm_init() public. Sent to tech-kern@ a few
days ago.
Use the new PTE naming, and define CR3_FRAME_* separately. No functional
change.
Add a new VCPU conf option, that allows userland to request VMEXITs after a
TPR change. This is supported on all Intel CPUs, and not-too-old AMD CPUs.
The reason for wanting this option is that certain OSes (like Win10 64bit)
manage interrupt priority in hardware via CR8 directly, and for these OSes,
the emulator may want to sync its internal TPR state on each change.
Add two new fields in cap.arch, to report the conf capabilities. Report TPR
only on Intel for now, not AMD, because I don't have a recent AMD CPU on
which to test.
Mask CPUID leaf 0x0A on Intel, because we don't want the guest to try (and
fail) to probe the PMC MSRs. This avoids "Unexpected WRMSR" warnings in
qemu-nvmm.
Add PCID support in the guests. This speeds up most 64bit guests, because
since Meltdown, everybody uses PCID (including NetBSD).
Change the way root_owner works: consider the calling process as root_owner
not if it has root privileges, but if the /dev/nvmm device was opened with
write permissions. Introduce the undocumented nvmm_root_init() function to
achieve that.
The goal is to simplify the logic and have more granularity, eg if we want
a monitoring agent to access VMs but don't want to give this agent real
root access on the system.
A few changes:
- Use smaller types in struct nvmm_capability.
- Use smaller type for nvmm_io.port.
- Switch exitstate to a compacted structure.
Add nram in struct nvmm_ctl_mach_info.
Add nvmmctl, with two commands for now.
Macro tidyness.
Sort SEE ALSO.
should be fork(2), noticed by wiz
Add debug entry for newly introduced nvmmctl utility.
Annotate a covering switch as such to avoid warnings about missing
returns.
Forgot to put nvmmctl in the "nvmm" group.
Add nvmm group.
 1.5.2.1  25-Sep-2019  martin Pull up following revision(s) (requested by nakayama in ticket #240):

usr.sbin/postinstall/postinstall.in: revision 1.6
usr.sbin/postinstall/postinstall.in: revision 1.7

exclude_libs - redirect ls 2> /dev/null so that the user is not
spammed with errors for directories without any libraries; the most
common case in the wild would be empty /usr/libdata/debug. Add -d to
ls for good measure while here.

-

Add ${DEST_DIR} prefix to check target directory not host directory.
 1.19.2.3  21-Apr-2020  martin Sync with HEAD
 1.19.2.2  13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.19.2.1  09-Apr-2020  martin file postinstall.in was added on branch phil-wifi on 2020-04-13 08:05:56 +0000
 1.51.2.4  31-Oct-2024  martin Pull up following revision(s) (requested by spz in ticket #992):

usr.sbin/postinstall/postinstall.in: revision 1.68
usr.sbin/postinstall/postinstall.in: revision 1.71

(typo) it used to be /var/db/blacklistd.db not /var/db/blacklist.db

PR bin/58476: second half: be more selective with the strings to update
for blacklistd -> blocklistd
issue pointed out and patch supplied by Timo Buhrmester
 1.51.2.3  11-Mar-2024  martin Pull up following revision(s) (requested by christos in ticket #622):

etc/named.conf: revision 1.11
usr.sbin/postinstall/postinstall.in: revision 1.59
external/mpl/bind/dist/lib/isc/netmgr/netmgr-int.h: revision 1.11
usr.sbin/postinstall/postinstall.in: revision 1.60
usr.sbin/postinstall/postinstall.in: revision 1.61

Make sure that the extra field is maximally aligned since it is used for
other struct storage.
- fix named.conf (remove dnssec-enable option)
- use proper local variables instead of adding _ or other prefixes.
- centralize rm use
- use grep -q instead of > /dev/null
- reduce constant duplication

no local in loops, simplify eval (thanks kre)

postinstall: fix endless loop (since 2024-03-07)

remove obsolete option "dnssec-enable"
 1.51.2.2  03-Feb-2024  martin Pull up following revision(s) (requested by riastradh in ticket #573):

usr.sbin/postinstall/postinstall.in: revision 1.58

postinstall(8): Don't say /etc/openssl/certs.conf already exists.

It's confusing when all the other `postinstall fix' actions are
silent in the event they don't have anything to do.

PR install/57885
 1.51.2.1  04-Sep-2023  martin Pull up following revision(s) (requested by riastradh in ticket #343):

external/mpl/mozilla-certdata/dist/certdata.txt: revision 1.1.1.1
external/mpl/mozilla-certdata/share/certs/DigiCert_Assured_ID_Root_G3.pem: revision 1.1
distrib/sets/lists/man/mi: revision 1.1764
external/mpl/mozilla-certdata/share/certs/ACCVRAIZ1.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.pem: revision 1.1
tests/usr.sbin/certctl/certs4/DigiCert_Global_Root_CA.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Sectigo_Public_Server_Authentication_Root_R46.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/GlobalSign_Secure_Mail_Root_E45.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/SSL.com_Root_Certification_Authority_ECC.pem: revision 1.1
tests/usr.sbin/certctl/certs3/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.1.pem: revision 1.1
tests/usr.sbin/certctl/certs2/GTS_Root_R1.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/BJCA_Global_Root_CA1.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Izenpe.com.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Amazon_Root_CA_2.pem: revision 1.1
tests/usr.sbin/certctl/certs4/Makefile: revision 1.1
external/mpl/mozilla-certdata/share/certs/Global_Chambersign_Root_-_2008.pem: revision 1.1
distrib/sets/lists/etc/mi: revision 1.272
external/mpl/mozilla-certdata/share/certs/ISRG_Root_X1.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/TunTrust_Root_CA.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/D-TRUST_BR_Root_CA_1_2020.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/SSL.com_Root_Certification_Authority_RSA.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Certum_EC-384_CA.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Security_Communication_RootCA3.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/IdenTrust_Public_Sector_Root_CA_1.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Entrust_Root_Certification_Authority_-_EC1.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/DigiCert_Global_Root_G2.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/GlobalSign_Root_CA.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/SZAFIR_ROOT_CA2.pem: revision 1.1
tests/usr.sbin/certctl/t_certctl.sh: revision 1.1
external/mpl/mozilla-certdata/share/certs/UCA_Global_G2_Root.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/HARICA_Client_ECC_Root_CA_2021.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/COMODO_ECC_Certification_Authority.pem: revision 1.1
tests/usr.sbin/certctl/t_certctl.sh: revision 1.2
tests/usr.sbin/certctl/certs1/DigiCert_Global_Root_CA.pem: revision 1.1
tests/usr.sbin/certctl/t_certctl.sh: revision 1.3
external/mpl/mozilla-certdata/Makefile: revision 1.1
external/mpl/mozilla-certdata/share/certs/DIGITALSIGN_GLOBAL_ROOT_RSA_CA.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/GTS_Root_R2.pem: revision 1.1
usr.sbin/certctl/certctl.sh: revision 1.1
tests/usr.sbin/certctl/t_certctl.sh: revision 1.4
external/mpl/mozilla-certdata/share/certs/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/SwissSign_Silver_CA_-_G2.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Starfield_Class_2_CA.pem: revision 1.1
usr.sbin/certctl/certctl.sh: revision 1.2
tests/usr.sbin/certctl/t_certctl.sh: revision 1.5
usr.sbin/certctl/certctl.sh: revision 1.3
tests/usr.sbin/certctl/t_certctl.sh: revision 1.6
usr.sbin/certctl/certctl.sh: revision 1.4
tests/usr.sbin/certctl/t_certctl.sh: revision 1.7
external/mpl/mozilla-certdata/share/certs/Hellenic_Academic_and_Research_Institutions_RootCA_2015.pem: revision 1.1
tests/usr.sbin/certctl/t_certctl.sh: revision 1.8
external/mpl/mozilla-certdata/share/certs/Sectigo_Public_Server_Authentication_Root_E46.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Hongkong_Post_Root_CA_3.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Entrust_Root_Certification_Authority_-_G4.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Security_Communication_Root_CA.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Go_Daddy_Root_Certificate_Authority_-_G2.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/ANF_Secure_Server_Root_CA.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Chambers_of_Commerce_Root_-_2008.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Go_Daddy_Class_2_CA.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/USERTrust_RSA_Certification_Authority.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Trustwave_Global_ECC_P384_Certification_Authority.pem: revision 1.1
external/mpl/mozilla-certdata/share/certdata.awk: revision 1.1
external/mpl/mozilla-certdata/share/certs/HARICA_TLS_ECC_Root_CA_2021.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Atos_TrustedRoot_Root_CA_ECC_G2_2020.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Sectigo_Public_Email_Protection_Root_R46.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/TrustCor_ECA-1.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/GlobalSign_ECC_Root_CA_-_R5.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/SSL.com_TLS_ECC_Root_CA_2022.pem: revision 1.1
usr.sbin/Makefile: revision 1.292
external/mpl/mozilla-certdata/share/certs/AffirmTrust_Premium.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/CA_Disig_Root_R2.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/emSign_Root_CA_-_C1.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/GlobalSign_Root_CA_-_R6.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/DigiCert_Trusted_Root_G4.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Atos_TrustedRoot_Root_CA_RSA_G2_2020.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/vTrus_Root_CA.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/T-TeleSec_GlobalRoot_Class_2.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/GlobalSign_Root_R46.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/TrustCor_RootCert_CA-2.pem: revision 1.1
etc/mtree/special: revision 1.176
external/mpl/mozilla-certdata/share/certs/USERTrust_ECC_Certification_Authority.pem: revision 1.1
etc/mtree/special: revision 1.177
etc/mtree/special: revision 1.178
external/mpl/mozilla-certdata/share/certs/AffirmTrust_Premium_ECC.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/vTrus_ECC_Root_CA.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/DigiCert_TLS_ECC_P384_Root_G5.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/NAVER_Global_Root_Certification_Authority.pem: revision 1.1
external/mpl/mozilla-certdata/share/server.trust: revision 1.1
external/mpl/mozilla-certdata/share/certs/SecureTrust_CA.pem: revision 1.1
external/mpl/mozilla-certdata/share/code.trust: revision 1.1
external/mpl/mozilla-certdata/share/certs/SSL.com_TLS_RSA_Root_CA_2022.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Amazon_Root_CA_4.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/DigiCert_TLS_RSA4096_Root_G5.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/DigiCert_Assured_ID_Root_G2.pem: revision 1.1
tests/usr.sbin/certctl/certs1/Makefile: revision 1.1
external/mpl/mozilla-certdata/share/certs/Sectigo_Public_Email_Protection_Root_E46.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/TWCA_Global_Root_CA.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/DigiCert_SMIME_RSA4096_Root_G5.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/SSL.com_Client_ECC_Root_CA_2022.pem: revision 1.1
share/man/man7/hier.7: revision 1.141
external/mpl/mozilla-certdata/share/certs/Certigna.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/certSIGN_Root_CA_G2.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Certigna_Root_CA.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Amazon_Root_CA_1.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Entrust.net_Premium_2048_Secure_Server_CA.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/GTS_Root_R4.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/T-TeleSec_GlobalRoot_Class_3.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Telia_Root_CA_v2.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/QuoVadis_Root_CA_3_G3.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/emSign_ECC_Root_CA_-_G3.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Security_Communication_RootCA2.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/TWCA_Root_Certification_Authority.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Buypass_Class_2_Root_CA.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/emSign_ECC_Root_CA_-_C3.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/SSL.com_EV_Root_Certification_Authority_RSA_R2.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/GTS_Root_R1.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/SSL.com_Client_RSA_Root_CA_2022.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/DigiCert_Assured_ID_Root_CA.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/HiPKI_Root_CA_-_G1.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Starfield_Root_Certificate_Authority_-_G2.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/SwissSign_Gold_CA_-_G2.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/OISTE_WISeKey_Global_Root_GB_CA.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/AffirmTrust_Networking.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.1.pem: revision 1.1
tests/usr.sbin/certctl/Makefile.inc: revision 1.1
external/mpl/mozilla-certdata/share/certs/COMODO_RSA_Certification_Authority.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Certum_Trusted_Network_CA_2.pem: revision 1.1
tests/usr.sbin/certctl/certs2/GlobalSign_Root_CA_-_R3.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/OISTE_WISeKey_Global_Root_GC_CA.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/D-TRUST_Root_Class_3_CA_2_EV_2009.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/AffirmTrust_Commercial.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Buypass_Class_3_Root_CA.pem: revision 1.1
distrib/sets/lists/tests/mi: revision 1.1292
external/mpl/mozilla-certdata/share/certs/UCA_Extended_Validation_Root.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Trustwave_Global_ECC_P256_Certification_Authority.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Certum_Trusted_Network_CA.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/QuoVadis_Root_CA_2.pem: revision 1.1
external/mpl/mozilla-certdata/share/email.trust: revision 1.1
external/mpl/mozilla-certdata/share/certs/Atos_TrustedRoot_2011.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Certum_Trusted_Root_CA.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/D-TRUST_EV_Root_CA_1_2020.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/ePKI_Root_Certification_Authority.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/DIGITALSIGN_GLOBAL_ROOT_ECDSA_CA.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/GlobalSign_ECC_Root_CA_-_R4.pem: revision 1.1
tests/usr.sbin/certctl/certs2/Makefile: revision 1.1
tests/usr.sbin/Makefile: revision 1.8
external/mpl/mozilla-certdata/share/certs/Trustwave_Global_Certification_Authority.pem: revision 1.1
tests/usr.sbin/certctl/Makefile: revision 1.1
external/mpl/mozilla-certdata/share/certs/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/IdenTrust_Commercial_Root_CA_1.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/DigiCert_SMIME_ECC_P384_Root_G5.pem: revision 1.1
tests/usr.sbin/certctl/certs1/Explicitly_Distrust_DigiNotar_Root_CA.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/TrustCor_RootCert_CA-1.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Staat_der_Nederlanden_Root_CA_-_G3.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/QuoVadis_Root_CA_3.pem: revision 1.1
external/mpl/mozilla-certdata/share/Makefile: revision 1.1
external/mpl/mozilla-certdata/share/Makefile: revision 1.2
external/mpl/mozilla-certdata/share/certs/Microsec_e-Szigno_Root_CA_2009.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/BJCA_Global_Root_CA2.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/HARICA_Client_RSA_Root_CA_2021.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/GDCA_TrustAUTH_R5_ROOT.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Amazon_Root_CA_3.pem: revision 1.1
tests/usr.sbin/certctl/certs4/AC_RAIZ_FNMT-RCM.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/ISRG_Root_X2.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/DigiCert_Global_Root_CA.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/D-TRUST_Root_CA_3_2013.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Microsoft_RSA_Root_Certificate_Authority_2017.pem: revision 1.1
etc/mtree/NetBSD.dist.base: revision 1.252
external/mpl/mozilla-certdata/share/certs/CFCA_EV_ROOT.pem: revision 1.1
etc/mtree/NetBSD.dist.base: revision 1.253
external/mpl/mozilla-certdata/share/certs/Starfield_Services_Root_Certificate_Authority_-_G2.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/DigiCert_Global_Root_G3.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/emSign_Root_CA_-_G1.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Microsoft_ECC_Root_Certificate_Authority_2017.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Explicitly_Distrust_DigiNotar_Root_CA.pem: revision 1.1
usr.sbin/certctl/Makefile: revision 1.1
external/mpl/mozilla-certdata/share/certs/Security_Communication_ECC_RootCA1.pem: revision 1.1
usr.sbin/certctl/Makefile: revision 1.2
usr.sbin/certctl/Makefile: revision 1.3
external/mpl/mozilla-certdata/share/certs/GTS_Root_R3.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/e-Szigno_Root_CA_2017.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/certSIGN_ROOT_CA.pem: revision 1.1
doc/3RDPARTY: revision 1.1949
external/mpl/mozilla-certdata/share/certs/Certainly_Root_R1.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/TeliaSonera_Root_CA_v1.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/HARICA_TLS_RSA_Root_CA_2021.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Entrust_Root_Certification_Authority.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/NetLock_Arany_Class_Gold.pem: revision 1.1
usr.sbin/postinstall/postinstall.in: revision 1.53
usr.sbin/postinstall/postinstall.in: revision 1.54
tests/usr.sbin/certctl/certs3/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem: revision 1.1
etc/Makefile: revision 1.467
usr.sbin/postinstall/postinstall.in: revision 1.55
tests/usr.sbin/certctl/certs3/Makefile: revision 1.1
external/mpl/mozilla-certdata/share/certs/GLOBALTRUST_2020.pem: revision 1.1
etc/mtree/NetBSD.dist.tests: revision 1.200
external/mpl/mozilla-certdata/share/certs/QuoVadis_Root_CA_1_G3.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/GlobalSign_Root_CA_-_R3.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Actalis_Authentication_Root_CA.pem: revision 1.1
distrib/sets/lists/base/mi: revision 1.1326
distrib/sets/lists/base/mi: revision 1.1327
external/mpl/mozilla-certdata/share/certs/SecureSign_RootCA11.pem: revision 1.1
distrib/sets/lists/base/mi: revision 1.1328
external/mpl/mozilla-certdata/share/certs/Comodo_AAA_Services_root.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Entrust_Root_Certification_Authority_-_G2.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/QuoVadis_Root_CA_2_G3.pem: revision 1.1
distrib/sets/lists/base/mi: revision 1.1329
external/mpl/mozilla-certdata/share/certs/COMODO_Certification_Authority.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Certum_Root_CA.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/DigiCert_High_Assurance_EV_Root_CA.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/GlobalSign_Secure_Mail_Root_R45.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Secure_Global_CA.pem: revision 1.1
usr.sbin/certctl/certctl.8: revision 1.1
external/mpl/mozilla-certdata/share/certs/XRamp_Global_CA_Root.pem: revision 1.1
external/mpl/Makefile: revision 1.5
usr.sbin/certctl/certctl.8: revision 1.2
external/mpl/mozilla-certdata/share/certs/D-TRUST_Root_Class_3_CA_2_2009.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Baltimore_CyberTrust_Root.pem: revision 1.1
usr.sbin/certctl/certs.conf: revision 1.1
external/mpl/mozilla-certdata/share/certs/LAWtrust_Root_CA2_4096.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/AC_RAIZ_FNMT-RCM.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Atos_TrustedRoot_Root_CA_ECC_TLS_2021.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/OISTE_WISeKey_Global_Root_GA_CA.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Certainly_Root_E1.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/GlobalSign_Root_E46.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/Atos_TrustedRoot_Root_CA_RSA_TLS_2021.pem: revision 1.1
external/mpl/mozilla-certdata/share/certs/SSL.com_EV_Root_Certification_Authority_ECC.pem: revision 1.1

certctl(8): New tool for managing OpenSSL CA certificates.
Same command-line syntax as FreeBSD, clearer semantics about which
parts are config and which parts are cache.

mozilla-certdata: Record in doc/3RDPARTY.

mozilla-certdata: Makefile infrastructure.

mozilla-certdata: regen
(actually, just `gen', this first time)

mozilla-certdata: Connect it up to the build.

postinstall(8): Add opensslcerts item to regen /etc/openssl/certs.

Works only with destdir /, since it relies on running openssl(1),
which is not available as a tool or required in the cross-build
environment.

certctl(8): Add xfail test for missing certs.conf.

Command should fail, i.e., exit with nonzero status, but it exits
with zero instead.
certctl(8): Exit nonzero on missing certs.conf.
certctl(8): Test prepopulated /etc/openssl/certs.

This is the scenario when you have previously populated
/etc/openssl/certs manually, or with a package like mozilla-rootcerts
or mozilla-rootcerts-openssl, and you update to a version of NetBSD
with certctl(8). In this case, certctl(8) should avoid destroying
your work.

While here, also test some related but less likely edge cases:
- nonexistent
- symlink
- regular file

certctl(8): Avoid clobbering prepopulated /etc/openssl/certs.

Also avoid clobbering some other edge cases like symlinks or
non-directories there.

This way, we have the following transitions on system updates:
- If /etc/openssl/certs is empty (as in default NetBSD<10 installs):
quietly populated on rehash.
- If /etc/openssl/certs is nonempty (you've added things to it,
e.g. by hand or with mozilla-rootcerts) and has never been managed
by certctl(8): left alone on rehash, with an error message to
explain what you need to do.
- If /etc/openssl/certs has been managed by certctl(8): quietly
updated on rehash.

Note: This means current installations made since certctl(8) was
added will be treated like /etc/openssl/certs is nonempty and has
never been managed by certctl(8). To work around this, you can just
delete /etc/openssl/certs and rerun `certctl rehash'.
postinstall(8): Fail if `certctl rehash' fails.

Not using `set -e' here, evidently (maybe we should), so the separate
return 0 suppressed the error.
distrib/sets/lists: certs.conf belongs in etc, not in base.
Oops.

certctl(8): Set certs.conf 644 and add it to etc/mtree/special.
Now that we have /etc/openssl/certs.conf mentioned here, also
list /etc/openssl.

hier(7): Document /etc/openssl.

certctl(8): Minor man page clarifications.
- Specify exactly what /etc/openssl/certs gets populated with.
- Change HTTPS to TLS.
- Specify the permitted character class in certs.conf.
(Maybe more conservative than strictly needed; but let's stay on
the safe side.)

certctl(8): Fix some bugs with evil pathnames.

certctl(8): Fix quoting and whitespace style in evilpath test.

No functional change intended.

etc/mtree/special: Fix spaces/tabs.
No functional change intended.

mozilla-certdata: Install relative symlinks.
Slightly more compact this way, and you can examine them in a destdir
without chrooting. Not terribly important, but a minor convenience.

certctl(8): Test more evil pathnames.

certctl(8): Install certs.conf in /usr/share/examples too.
This way postinstall(8) can refer to the default one when you've done
an upgrade without etcupdate or similar to pull in new config files
from etc.tgz.

Not great -- we should do this systematically for all config files in
/etc, but this one-off hack is less risky for 10.
postinstall(8): Handle various certs.conf scenarios gracefully.

Tested the following scenarios:
1. fresh install
empty /etc/openssl/certs
default /etc/openssl/certs.conf
- opensslcertsconf
[x] check: pass
[x] fix: pass -- nothing
- opensslcertsrehash
[x] check: fail -- needs rehash
[x] fix: pass -- quietly rehash successfully (go to 4)
2. fresh upgrade
empty /etc/openssl/certs
no /etc/openssl/certs.conf
- opensslcertsconf
[x] check: fail -- complain missing /etc/openssl/certs.conf
[x] fix: pass -- install default /etc/openssl/certs.conf (go to 1)
- opensslcertsrehash
[x] check: fail -- complain missing /etc/openssl/certs.conf
- [x] fix: fail -- complain missing /etc/openssl/certs.conf
3. upgrade from certctl, changes to certs
certctl-managed /etc/openssl/certs
default /etc/openssl/certs.conf
- opensslcertsconf
[x] check: pass
[x] fix: pass -- nothing
- opensslcertsrehash
[x] check: fail -- needs rehash
[x] fix: pass -- quietly rehash successfully (go to 4)
4. upgrade from certctl, no changes to certs
certctl-managed /etc/openssl/certs
default /etc/openssl/certs.conf
- opensslcertsconf
[x] check: pass
[x] fix: pass -- nothing
- opensslcertsrehash
[x] check: pass
[x] fix: pass -- quietly rehash successfully (go to 4)
5. upgrade from mozilla-rootcerts
populated /etc/openssl/certs
no /etc/openssl/certs.conf
- opensslcertsconf:
[x] check: fail -- complain missing /etc/openssl/certs.conf
[x] fix: pass -- install manual /etc/openssl/certs.conf (go to 7)
- opensslcertsrehash:
[x] check: fail -- complain missing /etc/openssl/certs.conf
[x] fix: fail -- complain missing /etc/openssl/certs.conf
6. upgrade from mozilla-rootcerts with etcupdate naively
populated /etc/openssl/certs
default /etc/openssl/certs.conf
- opensslcertsconf:
[x] check: pass
[x] fix: pass -- nothing
- opensslcertsrehash:
[x] check: fail -- complain mismatched certs/ and certs.conf
[x] fix: fail -- complain mismatched certs/ and certs.conf
7. upgrade from mozilla-rootcerts with etcupdate manually
populated /etc/openssl/certs
manual /etc/openssl/certs.conf
- opensslcertsconf:
[x] check: pass
[x] fix: pass -- nothing
- opensslcertsrehash:
[x] check: pass
[x] fix: pass -- skip rehash because manual (go to 7)

XXX Someone should draft automatic tests for postinstall. It has a
very good track record, but it sure would be nice to automate this
testing rather than redo it each time I make a tiny change.
 1.63.2.1  02-Aug-2025  perseant Sync with HEAD

RSS XML Feed