Currently, OpenSSL on Gentoo uses a replacement of the c_rehash command by using the script from http://cvs.pld-linux.org/cgi-bin/viewvc.cgi/cvs/packages/openssl/openssl-c_rehash.sh (package app-misc/c_rehash). This script has been updated almost 6 years ago, and is outdated. It does not support files with extension .crt, .cer, or .crl, but it is expected to do so (see OpenSSL man page here: https://www.openssl.org/docs/man1.0.2/apps/c_rehash.html) Is there any reason to use this third-party bash script instead of the c_rehash perl script provided by OpenSSL itself? The OpenSSL ebuild removes this explicitly, altough the OpenSSL has a dependency on Perl and therefore this script should work....
openssl depends on perl for *building* only, not for the runtime. we do not want perl for runtime. we'd avoid it for building too if we could. we're not going back.
Ok. As c_rehash shell script upstream seems not maintained, I've created a patch here: https://github.com/gentoo/gentoo/pull/787
(In reply to nicolas.perrenoud from comment #2) or no one noticed & told the pld-linux guys. have you tried sending your patch over there ?
@vapier: Could you take a look at the PR and sign off on it? (here or gh). Thanks.
I got in touch with a dev of PLD Linux (http://lists.pld-linux.org/mailman/pipermail/pld-devel-en/2016-February/thread.html) and was able to supply a path there (https://github.com/pld-linux/openssl/pull/1). Asking about update of the CVS repo of PLD Linux, which is used by app-misc/c_rehash, they told me that this is a history repository and no longer updated (http://lists.pld-linux.org/mailman/pipermail/pld-devel-en/2016-February/024698.html). I therefore suggest to replace the SRC_URL http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/openssl/openssl-c_rehash.sh used in the app-misc/c_rehash by the GH address https://github.com/pld-linux/openssl/blob/master/openssl-c_rehash.sh As they use a different versioning concept there, we need to think of a solution on how to set the version of the ebuild. What are your suggestions?
(In reply to nicolas.perrenoud from comment #5) we can just use datestamps derived from the git commit. something like 2016.02.02.1304. the git sha1 will have to be encoded into the ebuild itself.
the new version is in the tree: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=09d5a7b0ce9ff87dc6d8ad80f25e0028a55f3770 but we have to update openssl/ca-certificates before the new version can go in. done w/newer ca-certificates here: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d0dc37a597938972d0ac32d3216ae09520ceb4e4 but haven't pushed updates in openssl yet. will wait to see if anything goes wrong here first.
Is there any progress in stablizing 1.0.2g_p8 ? ca-certificates has been updated quite a few times since 2016.
We're now using 'openssl rehash' but also the relevant versions were stabled long ago.