Homebrew-core: /usr/local/etc/openssl/cert.pem is left behind and out of date

Unfortunately, the openssl Formula seems to have left behind a /usr/local/etc/openssl/cert.pem file that is not being updated by anything anymore.

We intentionally do not remove files from etc as they are considered user-owned/modified rather than Homebrew-owned/modified.

If you can point to any software that's using this certificate bundle we'll adjust that. Otherwise, just remove it yourself and there will be no harm.

If you're referring to a specific formula in future: please supply your brew config so we can keep track and triage according to your revision (as requested by the issue template).

Unfortunately, the openssl Formula seems to have left behind a /usr/local/etc/openssl/cert.pem file that is not being updated by anything anymore.

We intentionally do not remove files from etc as they are considered user-owned/modified rather than Homebrew-owned/modified.

I don't see how cert.pem is not Homebrew-owned/modified, as it's (very correctly) regenerated on every Formula re-install or update, and users are clearly instructed to use the certs directory for custom roots.

$ echo foo > /usr/local/etc/[email protected]/cert.pem
$ brew reinstall [email protected]
$ ls -l /usr/local/etc/[email protected]/cert.pem
-rw-r--r--  1 filippo  admin  265719  4 May 11:25 /usr/local/etc/[email protected]/cert.pem

/usr/local/etc/openssl/cert.pem was Homebrew-owned/modified, and it became orphaned when the openssl Formula went away. It's not in libexec, so it was not reserved for use by openssl, and there is a good chance user configurations out there rely on it. Those configurations are now not getting security updates. A simple symlink to its [email protected] counterpart would fix it.

If you're referring to a specific formula in future: please supply your brew config so we can keep track and triage according to your revision (as requested by the issue template).

brew gist-logs refused to run on an alias.

/usr/local/etc/openssl/cert.pem was Homebrew-owned/modified, and it became orphaned when the openssl Formula went away.

Yes. To clarify: we never cleanup files in etc. This is intentional behaviour.

brew gist-logs refused to run on an alias.

The line in the issue template you deleted:

if brew gist-logs didn't work: ran brew config and brew doctor and included their output with your issue?

and there is a good chance user configurations out there rely on it.

Can you point out any of these specifically?

A simple symlink to its [email protected] counterpart would fix it.

It would fix a hypothetical issue but introduce the expectation that we cleanup etc in this way.

and there is a good chance user configurations out there rely on it.

Can you point out any of these specifically?

No, but if there weren't any, then there would be no reason not to delete it. If there are users that rely on it, then they are going to not get security updates.

Again, every [email protected] upgrade deletes and regenerates /usr/local/etc/[email protected]/cert.pem. Maybe it should not have been in /etc, but it's not a user-owned file.

Deleting this file on uninstalling is a WONTFIX, sorry.

_sigh_. Thanks anyway for Homebrew.

@FiloSottile You're welcome.

_sigh_.

For future issues: I'd like to suggest that this tone isn't super helpful, thanks.

@FiloSottile Thanks for submitting https://github.com/Homebrew/homebrew-core/pull/54257 to address this, it's much appreciated. I'd like to apologise for my argumentative tone here and not doing more due diligence. It's something I need to work on and improve.

As gnutls is not affected (as reported in #54257) because it creates the file with up to date content, is installing gnutls Formula a viable short-term mitigation?

Similar to weechat Formula is doing, installing gnutls should result in an up to date file not susceptible of this issue.

@endorama brew install gnutls (or brew postinstall gnutls if it is already installed) will regenerate that file with the latest certificates.

If you do not use gnutls you can rm $(brew --prefix)/etc/openssl/cert.pem instead.

Hello,

If you can point to any software that's using this certificate bundle we'll adjust that. Otherwise, just remove it yourself and there will be no harm.

Composer does: https://github.com/composer/ca-bundle/blob/master/src/CaBundle.php#L94-L95

@ozh Sorry, I meant "any software that Homebrew provides where we are pointing to that file. In that case: a PR should be sent to Composer to update that file.

@MikeMcQuaid ok my bad, sorry for misunderstanding. Will check with the composer guys!

@FiloSottile Thanks for submitting #54257 to address this, it's much appreciated.

Glad I could help, and great to see Homebrew/brew#7508 to make this easier/safer in the future!

I'd like to apologise for my argumentative tone here and not doing more due diligence. It's something I need to work on and improve.

Thank you, I appreciate that. I know it's an especially stressful time for everyone. Sorry for shortcutting the template and for losing patience in https://github.com/Homebrew/homebrew-core/issues/54235#issuecomment-623633429.

To avoid issues like the Composer one, and to better align with its effective ownership and lifecycle, may I suggest putting the system roots file in the Cellar for the next iteration of the OpenSSL Formula (presumably [email protected])?

Thank you, I appreciate that. I know it's an especially stressful time for everyone. Sorry for shortcutting the template and for losing patience in #54235 (comment).

You're welcome ❤️. Have a toddler and a baby at home who are bouncing off the walls!

To avoid issues like the Composer one, and to better align with its effective ownership and lifecycle, may I suggest putting the system roots file in the Cellar for the next iteration of the OpenSSL Formula (presumably [email protected])?

We're talking about what best to do here. Some ideas that have come up:

• printing the list of left-behind files on uninstall so people know to remove them
• having a dedicated ca-certificates package

• printing the list of left-behind files on uninstall so people know to remove them

Opened a PR for this: https://github.com/Homebrew/brew/pull/7526. It'll both print the ones it's sure about (which would include the mentioned openssl ones, here) and those it's not (that match a glob pattern).