On 2/14/24 15:28, Stuart Henderson wrote:
Yes, that warning makes sense. That's a good idea to add it. I was also surprised the first time, then I launched it with the start_at_end flag to see that it was exactly the same bandwidth hungry behaviour.On 2024/02/14 15:04, Renaud Allard wrote:On 2/14/24 14:43, Ian Darwin wrote:On 2/14/24 07:07, Stuart Henderson wrote:ooof, this uses a *lot* of bandwidth!From the man page:-start_at_end : Start monitoring logs from the end rather than the beginning. |**WARNING**: monitoring from the beginning guarantees detection of all certificates, but requires downloading hundreds of millions of certificates, which takes days. |Whatever one you choose, it will need to build its database and that takes days. I don't remember exactly how much time it took, but that was in the one week range or so. After it has downloaded every cert, it will be somewhat quiet.How about this so at least we do give some kind of warning? I added the docs in while there.
Index: Makefile =================================================================== RCS file: /cvs/ports/security/certspotter/Makefile,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 Makefile --- Makefile 13 Feb 2024 11:57:52 -0000 1.1.1.1 +++ Makefile 14 Feb 2024 14:28:01 -0000 @@ -4,6 +4,7 @@ ONLY_FOR_ARCHS = aarch64 amd64 mips64 ri COMMENT = Certificate Transparency log monitorV = 0.16.0+REVISION = 0 MODGO_MODNAME = software.sslmate.com/src/certspotter MODGO_VERSION = v${V}@@ -21,6 +22,10 @@ PERMIT_PACKAGE = YesMODULES = lang/goWANTLIB += c pthread+ +post-install: + ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/certspotter + ${INSTALL_DATA} ${WRKSRC}/*.md ${PREFIX}/share/doc/certspotter.include "modules.inc".include <bsd.port.mk> Index: pkg/DESCR =================================================================== RCS file: /cvs/ports/security/certspotter/pkg/DESCR,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 DESCR --- pkg/DESCR 13 Feb 2024 11:57:52 -0000 1.1.1.1 +++ pkg/DESCR 14 Feb 2024 14:28:01 -0000 @@ -14,3 +14,6 @@ You can use Cert Spotter to detect: authority and want to impersonate your site. - Certificates issued in violation of your corporate policy or outside of your centralized certificate procurement process. + +N.B. Cert Spotter fetches the entire set of CT logs, using a large +amount of bandwidth while doing so, possibly for a week or more. Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/security/certspotter/pkg/PLIST,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 PLIST --- pkg/PLIST 13 Feb 2024 11:57:52 -0000 1.1.1.1 +++ pkg/PLIST 14 Feb 2024 14:28:01 -0000 @@ -11,4 +11,7 @@ @mode @owner @group +share/doc/certspotter/ +share/doc/certspotter/CHANGELOG.md +share/doc/certspotter/README.md share/doc/pkg-readmes/${PKGSTEM}
smime.p7s
Description: S/MIME Cryptographic Signature
