Date: Thu, 9 Apr 2015 18:14:07 +0200 From: Baptiste Daroussin <bapt@freebsd.org> To: Loganaden Velvindron <loganaden@gmail.com> Cc: Christian Weisgerber <naddy@mips.inka.de>, FreeBSD ports <freebsd-ports@freebsd.org>, Bryan Drewery <bdrewery@freebsd.org> Subject: Re: LibreSSL infects ports, causes problems Message-ID: <20150409161407.GU95321@ivaldir.etoilebsd.net> In-Reply-To: <CAOp4FwS6%2BwkO1OPom5W6u6RHPNQaLXiyF-tR20Sq4=dyMV%2BcXw@mail.gmail.com> References: <slrnmib1ur.2jau.naddy@lorvorc.mips.inka.de> <5525E609.70402@FreeBSD.org> <20150409115942.GA81282@lorvorc.mips.inka.de> <20150409130521.GQ95321@ivaldir.etoilebsd.net> <20150409155345.GA87497@lorvorc.mips.inka.de> <20150409155649.GT95321@ivaldir.etoilebsd.net> <CAOp4FwS6%2BwkO1OPom5W6u6RHPNQaLXiyF-tR20Sq4=dyMV%2BcXw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--gn1ylXQ+YRNuZICZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 09, 2015 at 04:00:45PM +0000, Loganaden Velvindron wrote: > On Thu, Apr 9, 2015 at 3:56 PM, Baptiste Daroussin <bapt@freebsd.org> wro= te: > > On Thu, Apr 09, 2015 at 05:53:45PM +0200, Christian Weisgerber wrote: > >> Baptiste Daroussin: > >> > >> > Some how you have mixed up things between base openssl and libressl,= when > >> > starting to activate libressl if you are using ports only you have t= o be extra > >> > careful, (same goes with ncurses or ports openssl) just installing t= hose ports > >> > is enough to "pollute" nearly anything you build after with a depend= ency on it > >> > (well anything that does link to libssl, libcrypto) > >> > >> Well, yes, that's what I said. It's a bug. > >> > >> > If it very complicated and > >> > error prone to cherry pick "only take base openssl here, only ports = openssl > >> > there" the only "safe" way to solve this situation and being consist= ent is to > >> > always skip the version from base and enforce the version for ports.= (the > >> > otherway around is impossible - very complicated) > >> > >> And the addition of LibreSSL as a not-quite-equivalent alternative > >> to ports OpenSSL makes this even more complicated. You can expect > >> things coming out of OpenBSD (like new versions of net/openntpd) > >> to require LibreSSL, because it includes a new library libtls that > >> doesn't exist in OpenSSL. In the meantime, LibreSSL has removed > >> some of the more horrific APIs of OpenSSL, which means some ports > >> will not build against LibreSSL as is. Like python27. Fixes for > >> these problems can be picked from the OpenBSD ports tree, if we > >> want to. > >> > >> It's kind of hard to fix such problems if there is no clear policy > >> how things are supposed to work in the first place. > >> > > > > I'm and other are working on a policy about that: always enforce openss= l from > > ports with just a flag to say I want openssl or I want libressl but not= both, > > would apply to others libs that behave the same way but I have limited = time on > > this any one who wants to work on that is welcome :) >=20 > I think that we need to build up a team of people who are interested > in making that happen in FreeBSD. >=20 > I would be very interested to have a LibreSSL-powered FreeBSD server > for production use at work. >=20 The thing is when you start pulling the string on this then you have to han= dle all the other cases, because ports binaries will end up with some rpath to = make sure it finds in priority things from localbase, but then if it is also lin= ked to libarchive, ncurses, etc it will grab the localbase version as well (depending on the shlib version of those) so doing the job for one of the l= ib means doing it for all others. For now candidates are: libarchive ncurses readline (which will have then to be linked to ports ncurses and not base version through the magic of fake libtermcap) openssl libedit(?) for now I do have: http://people.freebsd.org/~bapt/nobase.mk http://people.freebsd.org/~bapt/ssl.mk which will make switch from USE_OPENSSL to USES=3Dssl nobase.mk is for ncurses basically USES=3Dncurses will die and ncurses will= just become a regular LIB_DEPENDS When it becomes fun is that now all ports will have to really respect LDFLA= GS... I already found a couple of bad boys in that area. btw that should also solve some issues with python and its ncurses module. Best regards, Bapt --gn1ylXQ+YRNuZICZ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlUmpU8ACgkQ8kTtMUmk6EzNkACaAvXMsX3ML6JpYbkJuk5e6Mn3 ossAoIQDLVa4+2jOiimj20VsJe1pz1hY =N2uo -----END PGP SIGNATURE----- --gn1ylXQ+YRNuZICZ--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150409161407.GU95321>