pkgbase: fix caroot packaging and add post-install script

The original intention for caroot was to be packaged separately, perhaps so that users can have a more/less conservative upgrade policy for this separated from the rest of base. secure/caroot/Makefile doesn't have anything interesting to package, but its subdirectories might. Move the PACKAGE= to Makefile.inc so both blacklisted and trusted get packaged consistently into the correct one rather than the default -utilities. Also tag the directories for package=caroot, as they could also be empty; blacklisted is empty by default, but trusted is not. Add a post-install script to do certctl rehash, along with a note should we eventually come up with a way to detect that files have been added or removed that requires a rehash. -caroot gets a dependency on -utilities, as that's where we provide certctl at the moment. We can perhaps reconsider this and put certctl into this package in the future, but there are some bits within -utilities that unconditionally invoke certctl so let's hold off for now. Reviewed by: manu (earlier version, before -utilities dep added) Differential Revision: https://reviews.freebsd.org/D23352
2020-01-29 18:47:08 +00:00 · 2020-01-29 18:47:08 +00:00 · fbd46fe94a
commit fbd46fe94a
parent 4be465ab46
5 changed files with 39 additions and 4 deletions
--- a/etc/mtree/BSD.usr.dist
+++ b/etc/mtree/BSD.usr.dist
@ -201,9 +201,9 @@
            ..
        ..
        certs
-            blacklisted
+            blacklisted tags=package=caroot
            ..
-            trusted
+            trusted tags=package=caroot
            ..
        ..
        dict
--- a/release/packages/caroot.ucl
+++ b/release/packages/caroot.ucl
@ -0,0 +1,31 @@
+#
+# $FreeBSD$
+#
+
+name = "FreeBSD-%PKGNAME%"
+origin = "base"
+version = "%VERSION%"
+comment = "%COMMENT%"
+categories = [ base ]
+maintainer = "re@FreeBSD.org"
+www = "https://www.FreeBSD.org"
+prefix = "/"
+licenselogic = "single"
+licenses = [ BSD2CLAUSE ]
+desc = <<EOD
+%DESC%
+EOD
+deps: {
+    FreeBSD-%PKGDEPS%: {
+        origin: "base",
+        version: "%VERSION%"
+    }
+}
+scripts: {
+	# XXX If pkg picks up a mechanism to detect in the post-install script
+	# files being added or removed, we should use it instead to gate the
+	# rehash.
+	post-install = <<EOD
+	[ -x /usr/sbin/certctl ] && /usr/sbin/certctl rehash
+EOD
+}
--- a/release/packages/generate-ucl.sh
+++ b/release/packages/generate-ucl.sh
@ -34,6 +34,9 @@ main() {
 	outname="$(echo ${outname} | tr '-' '_')"

 	case "${outname}" in
+		caroot)
+			pkgdeps="utilities"
+			;;
 		runtime)
 			outname="runtime"
 			uclfile="${uclfile}"
--- a/secure/caroot/Makefile
+++ b/secure/caroot/Makefile
@ -1,7 +1,5 @@
 # $FreeBSD$

-PACKAGE=	caroot
-
 CLEANFILES+=	certdata.txt

 SUBDIR+=	trusted
--- a/secure/caroot/Makefile.inc
+++ b/secure/caroot/Makefile.inc
@ -0,0 +1,3 @@
+# $FreeBSD$
+
+PACKAGE=	caroot