Local slave port for emulators/virtualbox-ose-additions without OpenGL and X11

I have a bunch of FreeBSD VMs running in VirtualBox. They all share a number of virtual harddrives, and among them are a virtual harddrive with the common contents of /var/db/ports.

My ports configuration of emulators/virtualbox-ose-additions have the OPENGL and X11 options set. This is useless on some of my simpler VMs, as those VMs have no need for any X11 ports, but they could sure benefit from having the VirtualBox additions installed. These simpler VMs are usually used only to test ZFS in FreeBSD in various configurations.

I could juggle the settings for emulators/virtualbox-ose-additions for each time I’m updating the VirtualBox additions port on my VMs, but I decided to create a local slave port disabling the OPENGL and X11 options. Maybe this port, with the necessary tweaking, could sit among its siblings in the official emulators category.

OPTIONS_EXCLUDE=	OPENGL X11

MASTERDIR=	${.CURDIR}/../../emulators/virtualbox-ose-additions
.include "${MASTERDIR}/Makefile"

CATEGORIES=		local
VALID_CATEGORIES+=	local

COMMENT=	VirtualBox additions for FreeBSD guests without OPENGL and X11

PATCHDIR=	${MASTERDIR}/../${PORTNAME}/files

PKGNAMESUFFIX=	-additions-nox11

PKGORIGIN=	${CATEGORIES}/${PKGNAMEPREFIX}${PORTNAME}${PKGNAMESUFFIX}

# EOF

For now you must copy the /var/db/ports/local_virtualbox-ose-additions-additions-nox11/options file to /var/db/ports/emulators_virtualbox-ose-additions-additions-nox11/options, or else dialog4ports(1) will keep nagging you until kingdom come.

I guess this problem stems from early processing of bsd.port.mk as done by the master Makefile at a time when the CATEGORIES variable was set to emulators.

oinkmaster, wget, and HTTPS download of snort rules

oinkmaster started complaining like this the other day:

root@enterprise:~>oinkmaster -Q -b /usr/local/etc/snort/backup -o /usr/local/etc/snort/rules

/usr/local/bin/oinkmaster: Error: could not download from https://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2961.tar.gz. Output from wget follows:

 https://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2961.tar.gzResolving www.snort.org (www.snort.org)... 50.19.124.119, 54.225.152.149, 54.243.242.66
Connecting to www.snort.org (www.snort.org)|50.19.124.119|:443... connected.
ERROR: cannot verify www.snort.org's certificate, issued by '/C=US/O=Thawte, Inc./CN=Thawte SSL CA':
  Self-signed certificate encountered.
To connect to www.snort.org insecurely, use `--no-check-certificate'.

Oink, oink. Exiting...

Order was restored once again by adding the following line to .wgetrc in roots home directory:

check_certificate = off

This is not the proper way of handling HTTPS security, but it gets the job done. Previously we used HTTP access for downloading our snort rules, and it’s only recently we were redirected to use HTTPS access.

Update 2014-10-22

oinkmaster suddenly felt ill again, exiting with exit status 8:

root@enterprise:~>oinkmaster -b /usr/local/etc/snort/backup -o /usr/local/etc/snort/rules
Loading /usr/local/etc/oinkmaster.conf
Downloading file from https://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2961.tar.gz...
/usr/local/bin/oinkmaster: Error: could not download from https://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2961.tar.gz. Output from wget follows:

 https://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2961.tar.gzResolving www.snort.org (www.snort.org)... 50.19.124.119, 54.225.152.149, 54.243.242.66
Connecting to www.snort.org (www.snort.org)|50.19.124.119|:443... connected.
WARNING: cannot verify www.snort.org's certificate, issued by '/C=US/O=Thawte, Inc./CN=Thawte SSL CA':
  Self-signed certificate encountered.
HTTP request sent, awaiting response... 422 Unprocessable Entity
2014-10-22 08:42:41 ERROR 422: Unprocessable Entity.


Oink, oink. Exiting...
root@enterprise:~>echo $?
8

This time check_certificate = off won’t help at all. Apparantly, wget does not correctly use the Certificate’s Subject Alternative Names (www.snort.org vs snort.org), according to a comment on http://blog.snort.org/2014/07/snort-2962-is-now-available.html.

I have wget 1.15 and OpenSSL 1.0.1j installed. I just reconfigured wget to link with GnuTLS 3.2.19, recompiled and reinstalled wget, and this is no better combination than linking wget with OpenSSL. :-/

A private conversation is now a terrorist act!

Welcome to the United States of Earth. It is now a terrorist act to have a private conversation! And if saying so will get us arrested, pick me first! It will not change my participation level until my computer is forcefully taken away from me.

(In Norwegian also known as “Amerikas forenklete stater,” “The Simplified States of America.”)

From: https://www.schneier.com/blog/archives/2014/07/nsa_targets_pri.html#c6673575.