[gentoo-commits] repo/gentoo:master commit in: app-misc/ca-certificates/ - gentoo-commits

From:	"Robin H. Johnson" <robbat2@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: app-misc/ca-certificates/
Date:	Mon, 01 Jun 2020 22:56:33
Message-Id:	`1591052186.199aab84e909a786b64e171a3c84b5337575d877.robbat2@gentoo`

1

commit:     199aab84e909a786b64e171a3c84b5337575d877

2

Author:     Robin H. Johnson <robbat2 <AT> gentoo <DOT> org>

3

AuthorDate: Mon Jun  1 22:55:43 2020 +0000

4

Commit:     Robin H. Johnson <robbat2 <AT> gentoo <DOT> org>

5

CommitDate: Mon Jun  1 22:56:26 2020 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=199aab84

7

8

app-misc/ca-certificates: bump

9

10

Signed-off-by: Robin H. Johnson <robbat2 <AT> gentoo.org>

11

12

 app-misc/ca-certificates/Manifest                  |   1 +

13

 .../ca-certificates-20190110.3.53.ebuild           | 184 +++++++++++++++++++++

14

 2 files changed, 185 insertions(+)

15

16

diff --git a/app-misc/ca-certificates/Manifest b/app-misc/ca-certificates/Manifest

17

index e38a2df15b4..b42b17c308c 100644

18

--- a/app-misc/ca-certificates/Manifest

19

+++ b/app-misc/ca-certificates/Manifest

20

@@ -1,3 +1,4 @@

21

 DIST ca-certificates_20190110.tar.xz 243472 BLAKE2B b63e541fcf611712634f8c7fd2da5f189b999c39118047a7e2fd43ddd5e0fbefeaa08788363482a02be55a347447d4cc95f1505bf869accf9cd847578ad2e879 SHA512 9ce2661018edb120d0ef5bd3ed52c0f73f577d7607d135a31730549f5eb4176db4865cdb8bde77a78dc3efb8968846da5e72af8a833a9da2a8a7deb4f1560372

22

 DIST nss-3.43.tar.gz 23466026 BLAKE2B 1b43036daeedea1643a7fe1a8defa167097997efec529417c4857eaa29d453b6a588f462078f13662193d58dfd8f9566c22d729729591934ef154b9befb8f98d SHA512 e9dfba5bd6f68c5ab58fc7a6fa1b16a035be1b1b7c436cf787bdc99257c5f54c78d73d94d015bffd29420df19b2a2818166c68fe592dd7208ab5605344827fb5

23

+DIST nss-3.53.tar.gz 81178428 BLAKE2B 5e67b02bf0ba9390311d77ee4d7b86fd7339bd4f7d830b32563799e4eef126143f0b76b2933ad14c5c5d3da6cb3fa0e670aca7ce9654316123abadce25a728ec SHA512 280edf24356b764584200bff949af4a7f88514ee8ac80bf5348a9a844a8b1eb263e9aa1d772644bd8bb1bd195c12b6cc173280cfc88cd97e56562e1c40e71503

24

 DIST nss-cacert-class1-class3.patch 22950 BLAKE2B 9d5e60df5f161a3c27c41e5a9419440a54f888eda454e3cde5ebe626d4075b65cf9938b5144d0fb022377f4bd415bff5e5c67d104409860aa9391b3eb8872c68 SHA512 a5aa740bf110a3f0262e3f1ef2fc739ac2b44f042e220039d48aee8e97cd764d5c10718220364f4098aba955882bd02cadb5481512388971a8290312f88a7df0

25

26

diff --git a/app-misc/ca-certificates/ca-certificates-20190110.3.53.ebuild b/app-misc/ca-certificates/ca-certificates-20190110.3.53.ebuild

27

new file mode 100644

28

index 00000000000..0297708d122

29

--- /dev/null

30

+++ b/app-misc/ca-certificates/ca-certificates-20190110.3.53.ebuild

31

@@ -0,0 +1,184 @@

32

+# Copyright 1999-2020 Gentoo Authors

33

+# Distributed under the terms of the GNU General Public License v2

34

+

35

+# The Debian ca-certificates package merely takes the CA database as it exists

36

+# in the nss package and repackages it for use by openssl.

37

+#

38

+# The issue with using the compiled debs directly is two fold:

39

+# - they do not update frequently enough for us to rely on them

40

+# - they pull the CA database from nss tip of tree rather than the release

41

+#

42

+# So we take the Debian source tools and combine them with the latest nss

43

+# release to produce (largely) the same end result.  The difference is that

44

+# now we know our cert database is kept in sync with nss and, if need be,

45

+# can be sync with nss tip of tree more frequently to respond to bugs.

46

+

47

+# When triaging bugs from users, here's some handy tips:

48

+# - To see what cert is hitting errors, use openssl:

49

+#   openssl s_client -port 443 -CApath /etc/ssl/certs/ -host $HOSTNAME

50

+#   Focus on the errors written to stderr.

51

+#

52

+# - Look at the upstream log as to why certs were added/removed:

53

+#   https://hg.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt

54

+#

55

+# - If people want to add/remove certs, tell them to file w/mozilla:

56

+#   https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificates&version=trunk

57

+

58

+EAPI=6

59

+

60

+PYTHON_COMPAT=( python3_{6,7,8} )

61

+

62

+inherit eutils python-any-r1

63

+

64

+if [[ ${PV} == *.* ]] ; then

65

+	# Compile from source ourselves.

66

+	PRECOMPILED=false

67

+	inherit eapi7-ver

68

+

69

+	DEB_VER=$(ver_cut 1)

70

+	NSS_VER=$(ver_cut 2-)

71

+	RTM_NAME="NSS_${NSS_VER//./_}_RTM"

72

+else

73

+	# Debian precompiled version.

74

+	PRECOMPILED=true

75

+	inherit unpacker

76

+fi

77

+

78

+DESCRIPTION="Common CA Certificates PEM files"

79

+HOMEPAGE="https://packages.debian.org/sid/ca-certificates"

80

+NMU_PR=""

81

+if ${PRECOMPILED} ; then

82

+	SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${PV}${NMU_PR:++nmu}${NMU_PR}_all.deb"

83

+else

84

+	SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${DEB_VER}${NMU_PR:++nmu}${NMU_PR}.tar.xz

85

+		https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/nss-${NSS_VER}.tar.gz

86

+		cacert? (

87

+			https://dev.gentoo.org/~axs/distfiles/nss-cacert-class1-class3.patch

88

+		)"

89

+fi

90

+

91

+LICENSE="MPL-1.1"

92

+SLOT="0"

93

+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt"

94

+IUSE=""

95

+${PRECOMPILED} || IUSE+=" cacert"

96

+

97

+DEPEND=""

98

+if ${PRECOMPILED} ; then

99

+	DEPEND+=" !<sys-apps/portage-2.1.10.41"

100

+fi

101

+# c_rehash: we run `c_rehash`

102

+# debianutils: we run `run-parts`

103

+RDEPEND="${DEPEND}

104

+	app-misc/c_rehash

105

+	sys-apps/debianutils"

106

+

107

+if ! ${PRECOMPILED}; then

108

+	DEPEND+=" ${PYTHON_DEPS}"

109

+fi

110

+

111

+S=${WORKDIR}

112

+

113

+pkg_setup() {

114

+	# For the conversion to having it in CONFIG_PROTECT_MASK,

115

+	# we need to tell users about it once manually first.

116

+	[[ -f "${EPREFIX}"/etc/env.d/98ca-certificates ]] \

117

+		|| ewarn "You should run update-ca-certificates manually after etc-update"

118

+}

119

+

120

+src_unpack() {

121

+	${PRECOMPILED} || default

122

+

123

+	# Do all the work in the image subdir to avoid conflicting with source

124

+	# dirs in ${WORKDIR}.  Need to perform everything in the offset #381937

125

+	mkdir -p "image/${EPREFIX}" || die

126

+	cd "image/${EPREFIX}" || die

127

+

128

+	${PRECOMPILED} && unpacker_src_unpack

129

+}

130

+

131

+src_prepare() {

132

+	cd "image/${EPREFIX}" || die

133

+	if ! ${PRECOMPILED} ; then

134

+		mkdir -p usr/sbin || die

135

+		cp -p "${S}"/${PN}-${DEB_VER}/sbin/update-ca-certificates \

136

+			usr/sbin/ || die

137

+

138

+		if use cacert ; then

139

+			pushd "${S}"/nss-${NSS_VER} >/dev/null || die

140

+			eapply -p0 "${DISTDIR}"/nss-cacert-class1-class3.patch

141

+			popd >/dev/null || die

142

+		fi

143

+	fi

144

+

145

+	default

146

+	eapply -p2 "${FILESDIR}"/${PN}-20150426-root.patch

147

+	local relp=$(echo "${EPREFIX}" | sed -e 's:[^/]\+:..:g')

148

+	sed -i \

149

+		-e '/="$ROOT/s:ROOT:ROOT'"${EPREFIX}"':' \

150

+		-e '/RELPATH="\.\./s:"$:'"${relp}"'":' \

151

+		-e 's/openssl rehash/c_rehash/' \

152

+		usr/sbin/update-ca-certificates || die

153

+}

154

+

155

+src_compile() {

156

+	cd "image/${EPREFIX}" || die

157

+	if ! ${PRECOMPILED} ; then

158

+		python_setup

159

+		local d="${S}/${PN}-${DEB_VER}/mozilla" c="usr/share/${PN}"

160

+		# Grab the database from the nss sources.

161

+		cp "${S}"/nss-${NSS_VER}/nss/lib/ckfw/builtins/{certdata.txt,nssckbi.h} "${d}" || die

162

+		emake -C "${d}"

163

+

164

+		# Now move the files to the same places that the precompiled would.

165

+		mkdir -p etc/ssl/certs \

166

+			etc/ca-certificates/update.d \

167

+			"${c}"/mozilla \

168

+			|| die

169

+		if use cacert ; then

170

+			mkdir -p "${c}"/cacert.org || die

171

+			mv "${d}"/CAcert_Inc..crt \

172

+				"${c}"/cacert.org/cacert.org_root.crt || die

173

+		fi

174

+		mv "${d}"/*.crt "${c}"/mozilla/ || die

175

+	else

176

+		mv usr/share/doc/{ca-certificates,${PF}} || die

177

+	fi

178

+

179

+	(

180

+		echo "# Automatically generated by ${CATEGORY}/${PF}"

181

+		echo "# $(date -u)"

182

+		echo "# Do not edit."

183

+		cd "${c}" || die

184

+		find * -name '*.crt' | LC_ALL=C sort

185

+	) > etc/ca-certificates.conf

186

+

187

+	sh usr/sbin/update-ca-certificates --root "${S}/image" || die

188

+}

189

+

190

+src_install() {

191

+	cp -pPR image/* "${D}"/ || die

192

+	if ! ${PRECOMPILED} ; then

193

+		cd ${PN}-${DEB_VER} || die

194

+		doman sbin/*.8

195

+		dodoc debian/README.* examples/ca-certificates-local/README

196

+	fi

197

+

198

+	echo 'CONFIG_PROTECT_MASK="/etc/ca-certificates.conf"' > 98ca-certificates

199

+	doenvd 98ca-certificates

200

+}

201

+

202

+pkg_postinst() {

203

+	if [[ -d "${EROOT%/}/usr/local/share/ca-certificates" ]] ; then

204

+		# if the user has local certs, we need to rebuild again

205

+		# to include their stuff in the db.

206

+		# However it's too overzealous when the user has custom certs in place.

207

+		# --fresh is to clean up dangling symlinks

208

+		"${EROOT%/}"/usr/sbin/update-ca-certificates --root "${ROOT}"

209

+	fi

210

+

211

+	if [[ -n "$(find -L "${EROOT%/}"/etc/ssl/certs/ -type l)" ]] ; then

212

+		ewarn "Removing the following broken symlinks:"

213

+		ewarn "$(find -L "${EROOT%/}"/etc/ssl/certs/ -type l -printf '%p -> %l\n' -delete)"

214

+	fi

215

+}

1	commit: 199aab84e909a786b64e171a3c84b5337575d877
2	Author: Robin H. Johnson <robbat2 <AT> gentoo <DOT> org>
3	AuthorDate: Mon Jun 1 22:55:43 2020 +0000
4	Commit: Robin H. Johnson <robbat2 <AT> gentoo <DOT> org>
5	CommitDate: Mon Jun 1 22:56:26 2020 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=199aab84
7
8	app-misc/ca-certificates: bump
9
10	Signed-off-by: Robin H. Johnson <robbat2 <AT> gentoo.org>
11
12	app-misc/ca-certificates/Manifest \| 1 +
13	.../ca-certificates-20190110.3.53.ebuild \| 184 +++++++++++++++++++++
14	2 files changed, 185 insertions(+)
15
16	diff --git a/app-misc/ca-certificates/Manifest b/app-misc/ca-certificates/Manifest
17	index e38a2df15b4..b42b17c308c 100644
18	--- a/app-misc/ca-certificates/Manifest
19	+++ b/app-misc/ca-certificates/Manifest
20	@@ -1,3 +1,4 @@
21	DIST ca-certificates_20190110.tar.xz 243472 BLAKE2B b63e541fcf611712634f8c7fd2da5f189b999c39118047a7e2fd43ddd5e0fbefeaa08788363482a02be55a347447d4cc95f1505bf869accf9cd847578ad2e879 SHA512 9ce2661018edb120d0ef5bd3ed52c0f73f577d7607d135a31730549f5eb4176db4865cdb8bde77a78dc3efb8968846da5e72af8a833a9da2a8a7deb4f1560372
22	DIST nss-3.43.tar.gz 23466026 BLAKE2B 1b43036daeedea1643a7fe1a8defa167097997efec529417c4857eaa29d453b6a588f462078f13662193d58dfd8f9566c22d729729591934ef154b9befb8f98d SHA512 e9dfba5bd6f68c5ab58fc7a6fa1b16a035be1b1b7c436cf787bdc99257c5f54c78d73d94d015bffd29420df19b2a2818166c68fe592dd7208ab5605344827fb5
23	+DIST nss-3.53.tar.gz 81178428 BLAKE2B 5e67b02bf0ba9390311d77ee4d7b86fd7339bd4f7d830b32563799e4eef126143f0b76b2933ad14c5c5d3da6cb3fa0e670aca7ce9654316123abadce25a728ec SHA512 280edf24356b764584200bff949af4a7f88514ee8ac80bf5348a9a844a8b1eb263e9aa1d772644bd8bb1bd195c12b6cc173280cfc88cd97e56562e1c40e71503
24	DIST nss-cacert-class1-class3.patch 22950 BLAKE2B 9d5e60df5f161a3c27c41e5a9419440a54f888eda454e3cde5ebe626d4075b65cf9938b5144d0fb022377f4bd415bff5e5c67d104409860aa9391b3eb8872c68 SHA512 a5aa740bf110a3f0262e3f1ef2fc739ac2b44f042e220039d48aee8e97cd764d5c10718220364f4098aba955882bd02cadb5481512388971a8290312f88a7df0
25
26	diff --git a/app-misc/ca-certificates/ca-certificates-20190110.3.53.ebuild b/app-misc/ca-certificates/ca-certificates-20190110.3.53.ebuild
27	new file mode 100644
28	index 00000000000..0297708d122
29	--- /dev/null
30	+++ b/app-misc/ca-certificates/ca-certificates-20190110.3.53.ebuild
31	@@ -0,0 +1,184 @@
32	+# Copyright 1999-2020 Gentoo Authors
33	+# Distributed under the terms of the GNU General Public License v2
34	+
35	+# The Debian ca-certificates package merely takes the CA database as it exists
36	+# in the nss package and repackages it for use by openssl.
37	+#
38	+# The issue with using the compiled debs directly is two fold:
39	+# - they do not update frequently enough for us to rely on them
40	+# - they pull the CA database from nss tip of tree rather than the release
41	+#
42	+# So we take the Debian source tools and combine them with the latest nss
43	+# release to produce (largely) the same end result. The difference is that
44	+# now we know our cert database is kept in sync with nss and, if need be,
45	+# can be sync with nss tip of tree more frequently to respond to bugs.
46	+
47	+# When triaging bugs from users, here's some handy tips:
48	+# - To see what cert is hitting errors, use openssl:
49	+# openssl s_client -port 443 -CApath /etc/ssl/certs/ -host $HOSTNAME
50	+# Focus on the errors written to stderr.
51	+#
52	+# - Look at the upstream log as to why certs were added/removed:
53	+# https://hg.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt
54	+#
55	+# - If people want to add/remove certs, tell them to file w/mozilla:
56	+# https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificates&version=trunk
57	+
58	+EAPI=6
59	+
60	+PYTHON_COMPAT=( python3_{6,7,8} )
61	+
62	+inherit eutils python-any-r1
63	+
64	+if [[ ${PV} == . ]] ; then
65	+ # Compile from source ourselves.
66	+ PRECOMPILED=false
67	+ inherit eapi7-ver
68	+
69	+ DEB_VER=$(ver_cut 1)
70	+ NSS_VER=$(ver_cut 2-)
71	+ RTM_NAME="NSS_${NSS_VER//./_}_RTM"
72	+else
73	+ # Debian precompiled version.
74	+ PRECOMPILED=true
75	+ inherit unpacker
76	+fi
77	+
78	+DESCRIPTION="Common CA Certificates PEM files"
79	+HOMEPAGE="https://packages.debian.org/sid/ca-certificates"
80	+NMU_PR=""
81	+if ${PRECOMPILED} ; then
82	+ SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${PV}${NMU_PR:++nmu}${NMU_PR}_all.deb"
83	+else
84	+ SRC_URI="mirror://debian/pool/main/c/${PN}/${PN}_${DEB_VER}${NMU_PR:++nmu}${NMU_PR}.tar.xz
85	+ https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/nss-${NSS_VER}.tar.gz
86	+ cacert? (
87	+ https://dev.gentoo.org/~axs/distfiles/nss-cacert-class1-class3.patch
88	+ )"
89	+fi
90	+
91	+LICENSE="MPL-1.1"
92	+SLOT="0"
93	+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt"
94	+IUSE=""
95	+${PRECOMPILED} \|\| IUSE+=" cacert"
96	+
97	+DEPEND=""
98	+if ${PRECOMPILED} ; then
99	+ DEPEND+=" !<sys-apps/portage-2.1.10.41"
100	+fi
101	+# c_rehash: we run `c_rehash`
102	+# debianutils: we run `run-parts`
103	+RDEPEND="${DEPEND}
104	+ app-misc/c_rehash
105	+ sys-apps/debianutils"
106	+
107	+if ! ${PRECOMPILED}; then
108	+ DEPEND+=" ${PYTHON_DEPS}"
109	+fi
110	+
111	+S=${WORKDIR}
112	+
113	+pkg_setup() {
114	+ # For the conversion to having it in CONFIG_PROTECT_MASK,
115	+ # we need to tell users about it once manually first.
116	+ [[ -f "${EPREFIX}"/etc/env.d/98ca-certificates ]] \
117	+ \|\| ewarn "You should run update-ca-certificates manually after etc-update"
118	+}
119	+
120	+src_unpack() {
121	+ ${PRECOMPILED} \|\| default
122	+
123	+ # Do all the work in the image subdir to avoid conflicting with source
124	+ # dirs in ${WORKDIR}. Need to perform everything in the offset #381937
125	+ mkdir -p "image/${EPREFIX}" \|\| die
126	+ cd "image/${EPREFIX}" \|\| die
127	+
128	+ ${PRECOMPILED} && unpacker_src_unpack
129	+}
130	+
131	+src_prepare() {
132	+ cd "image/${EPREFIX}" \|\| die
133	+ if ! ${PRECOMPILED} ; then
134	+ mkdir -p usr/sbin \|\| die
135	+ cp -p "${S}"/${PN}-${DEB_VER}/sbin/update-ca-certificates \
136	+ usr/sbin/ \|\| die
137	+
138	+ if use cacert ; then
139	+ pushd "${S}"/nss-${NSS_VER} >/dev/null \|\| die
140	+ eapply -p0 "${DISTDIR}"/nss-cacert-class1-class3.patch
141	+ popd >/dev/null \|\| die
142	+ fi
143	+ fi
144	+
145	+ default
146	+ eapply -p2 "${FILESDIR}"/${PN}-20150426-root.patch
147	+ local relp=$(echo "${EPREFIX}" \| sed -e 's:[^/]\+:..:g')
148	+ sed -i \
149	+ -e '/="$ROOT/s:ROOT:ROOT'"${EPREFIX}"':' \
150	+ -e '/RELPATH="\.\./s:"$:'"${relp}"'":' \
151	+ -e 's/openssl rehash/c_rehash/' \
152	+ usr/sbin/update-ca-certificates \|\| die
153	+}
154	+
155	+src_compile() {
156	+ cd "image/${EPREFIX}" \|\| die
157	+ if ! ${PRECOMPILED} ; then
158	+ python_setup
159	+ local d="${S}/${PN}-${DEB_VER}/mozilla" c="usr/share/${PN}"
160	+ # Grab the database from the nss sources.
161	+ cp "${S}"/nss-${NSS_VER}/nss/lib/ckfw/builtins/{certdata.txt,nssckbi.h} "${d}" \|\| die
162	+ emake -C "${d}"
163	+
164	+ # Now move the files to the same places that the precompiled would.
165	+ mkdir -p etc/ssl/certs \
166	+ etc/ca-certificates/update.d \
167	+ "${c}"/mozilla \
168	+ \|\| die
169	+ if use cacert ; then
170	+ mkdir -p "${c}"/cacert.org \|\| die
171	+ mv "${d}"/CAcert_Inc..crt \
172	+ "${c}"/cacert.org/cacert.org_root.crt \|\| die
173	+ fi
174	+ mv "${d}"/*.crt "${c}"/mozilla/ \|\| die
175	+ else
176	+ mv usr/share/doc/{ca-certificates,${PF}} \|\| die
177	+ fi
178	+
179	+ (
180	+ echo "# Automatically generated by ${CATEGORY}/${PF}"
181	+ echo "# $(date -u)"
182	+ echo "# Do not edit."
183	+ cd "${c}" \|\| die
184	+ find * -name '*.crt' \| LC_ALL=C sort
185	+ ) > etc/ca-certificates.conf
186	+
187	+ sh usr/sbin/update-ca-certificates --root "${S}/image" \|\| die
188	+}
189	+
190	+src_install() {
191	+ cp -pPR image/* "${D}"/ \|\| die
192	+ if ! ${PRECOMPILED} ; then
193	+ cd ${PN}-${DEB_VER} \|\| die
194	+ doman sbin/*.8
195	+ dodoc debian/README.* examples/ca-certificates-local/README
196	+ fi
197	+
198	+ echo 'CONFIG_PROTECT_MASK="/etc/ca-certificates.conf"' > 98ca-certificates
199	+ doenvd 98ca-certificates
200	+}
201	+
202	+pkg_postinst() {
203	+ if [[ -d "${EROOT%/}/usr/local/share/ca-certificates" ]] ; then
204	+ # if the user has local certs, we need to rebuild again
205	+ # to include their stuff in the db.
206	+ # However it's too overzealous when the user has custom certs in place.
207	+ # --fresh is to clean up dangling symlinks
208	+ "${EROOT%/}"/usr/sbin/update-ca-certificates --root "${ROOT}"
209	+ fi
210	+
211	+ if [[ -n "$(find -L "${EROOT%/}"/etc/ssl/certs/ -type l)" ]] ; then
212	+ ewarn "Removing the following broken symlinks:"
213	+ ewarn "$(find -L "${EROOT%/}"/etc/ssl/certs/ -type l -printf '%p -> %l\n' -delete)"
214	+ fi
215	+}

Gentoo Archives: gentoo-commits