From: Renaud Allard Subject: Re: [new] security/certspotter 0.16.0 To: ports@openbsd.org Date: Wed, 14 Feb 2024 15:36:40 +0100 On 2/14/24 15:28, Stuart Henderson wrote: > On 2024/02/14 15:04, Renaud Allard wrote: >> >> >> On 2/14/24 14:43, Ian Darwin wrote: >>> On 2/14/24 07:07, Stuart Henderson wrote: >>>> ooof, this uses a *lot* of bandwidth! >>>> >>> From the man page: >>> >>>> -start_at_end >>>> >>>> : Start monitoring logs from the end rather than the beginning. >>>> >>>> |**WARNING**: monitoring from the beginning guarantees detection of >>>> all certificates, but requires downloading hundreds of millions of >>>> certificates, which takes days. | >> >> Whatever one you choose, it will need to build its database and that takes >> days. I don't remember exactly how much time it took, but that was in the >> one week range or so. >> After it has downloaded every cert, it will be somewhat quiet. > > How about this so at least we do give some kind of warning? > I added the docs in while there. > Yes, that warning makes sense. That's a good idea to add it. I was also surprised the first time, then I launched it with the start_at_end flag to see that it was exactly the same bandwidth hungry behaviour. > > Index: Makefile > =================================================================== > RCS file: /cvs/ports/security/certspotter/Makefile,v > retrieving revision 1.1.1.1 > diff -u -p -r1.1.1.1 Makefile > --- Makefile 13 Feb 2024 11:57:52 -0000 1.1.1.1 > +++ Makefile 14 Feb 2024 14:28:01 -0000 > @@ -4,6 +4,7 @@ ONLY_FOR_ARCHS = aarch64 amd64 mips64 ri > COMMENT = Certificate Transparency log monitor > > V = 0.16.0 > +REVISION = 0 > MODGO_MODNAME = software.sslmate.com/src/certspotter > MODGO_VERSION = v${V} > > @@ -21,6 +22,10 @@ PERMIT_PACKAGE = Yes > MODULES = lang/go > > WANTLIB += c pthread > + > +post-install: > + ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/certspotter > + ${INSTALL_DATA} ${WRKSRC}/*.md ${PREFIX}/share/doc/certspotter > > .include "modules.inc" > .include > Index: pkg/DESCR > =================================================================== > RCS file: /cvs/ports/security/certspotter/pkg/DESCR,v > retrieving revision 1.1.1.1 > diff -u -p -r1.1.1.1 DESCR > --- pkg/DESCR 13 Feb 2024 11:57:52 -0000 1.1.1.1 > +++ pkg/DESCR 14 Feb 2024 14:28:01 -0000 > @@ -14,3 +14,6 @@ You can use Cert Spotter to detect: > authority and want to impersonate your site. > - Certificates issued in violation of your corporate policy or outside > of your centralized certificate procurement process. > + > +N.B. Cert Spotter fetches the entire set of CT logs, using a large > +amount of bandwidth while doing so, possibly for a week or more. > Index: pkg/PLIST > =================================================================== > RCS file: /cvs/ports/security/certspotter/pkg/PLIST,v > retrieving revision 1.1.1.1 > diff -u -p -r1.1.1.1 PLIST > --- pkg/PLIST 13 Feb 2024 11:57:52 -0000 1.1.1.1 > +++ pkg/PLIST 14 Feb 2024 14:28:01 -0000 > @@ -11,4 +11,7 @@ > @mode > @owner > @group > +share/doc/certspotter/ > +share/doc/certspotter/CHANGELOG.md > +share/doc/certspotter/README.md > share/doc/pkg-readmes/${PKGSTEM}