From owner-freebsd-ports  Mon Mar 24  7:51: 1 2003
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3F52A37B401
	for <ports@freebsd.org>; Mon, 24 Mar 2003 07:50:57 -0800 (PST)
Received: from blueberry.inwa.net (blueberry.inwa.net [216.173.205.131])
	by mx1.FreeBSD.org (Postfix) with SMTP id B112143F3F
	for <ports@freebsd.org>; Mon, 24 Mar 2003 07:50:56 -0800 (PST)
	(envelope-from nathan@inwa.net)
Received: (qmail 15823 invoked from network); 24 Mar 2003 15:50:56 -0000
Received: from inwa.net (216.173.205.140)
  by inwa.net with SMTP; 24 Mar 2003 15:50:56 -0000
Date: Mon, 24 Mar 2003 07:50:56 -0800 (PST)
From: Nathan Gardner <nathan@inwa.net>
To: ports@freebsd.org
Subject: /usr/ports/Mk/bsd.port.mk
Message-ID: <Pine.LNX.4.53.0303240725110.20406@blueberry.inwa.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Spam-Status: No, hits=-5.8 required=5.0
	tests=USER_AGENT_PINE
	autolearn=ham	version=2.50
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp)
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ports.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ports>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ports>
X-Loop: FreeBSD.org


I have had some difficulties getting things to work with the default
bsd.port.mk (at least under FreeBSD 4.7). The most notable problems I
have had thus far are when I try to not use the distribution's
versions of SSL and PERL. The ports system does not appear to look for
newer versions of these programs under /usr/local where the ports
collection installs them. So if someone were to upgrade their system
from the ports collection (say there was a new version of OpenSSL
released, like there is every few months it seems) the ports
collection still tries to use the one in /usr and doesn't look at the
new by default.

While it is the responsibility of administrators to be aware of the
versions of their libraries, because the ports collection doesn't look
for new versions in the places that it installs them, there is a
chance of someone installing a new version of OpenSSL (for example)
when an exploit comes out, recompiling everything as directed, and
thinking everything is fixed, while in actuality their recompile
didn't make use of the new libraries, and they are still vulnerable.

I assume that you folks have a far better understanding of this than I
do, and that perhaps I am totally mistaken. Please advise.

I have modified my own bsd.port.mk so that it will use a new version
of OpenSSL if you install it. Perhaps you can improve on my methods,
but here is what the section I wrote, which has worked nicely for me
thus far. (Apache2, MySQL40, mod_php, courier-imap, and pine have all
been happy with it).

Starting around line 39932 of /usr/ports/Mk/bsd.port.mk
--BEGIN

.if defined(USE_OPENSSL)
.if ${OSVERSION} >= 400014
OPENSSLBASE= /usr/local
OPENSSLDIR= /usr/local/openssl
.else
.if exists(/usr/lib/libcrypto.so)
OPENSSLBASE= /usr
OPENSSLDIR= /etc/ssl
.else
.BEGIN:
        @${ECHO_CMD} "This port requires the OpenSSL library, which is part of"
        @${ECHO_CMD} "the FreeBSD crypto distribution but not installed on your"
        @${ECHO_CMD} "machine. Please see the \"OpenSSL\" section in the handbook"
        @${ECHO_CMD} "(at \"http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/openssl.html\", for instance)"
        @${ECHO_CMD} "for instructions on how to obtain and install the FreeBSD"
        @${ECHO_CMD} "OpenSSL distribution."
        @${FALSE}
.endif

# OpenSSL in the base system may not include IDEA for patent licensing reasons.
.if defined(MAKE_IDEA) && !defined(OPENSSL_IDEA)
OPENSSL_IDEA=   ${MAKE_IDEA}
.else
OPENSSL_IDEA?=  NO
.endif
.if ${OPENSSL_IDEA} == "NO"
# XXX This is a hack to work around the fact that /etc/make.conf clobbers
#     our CFLAGS. It might not be enough for all future ports.
.if defined(HAS_CONFIGURE)
CFLAGS+=                -DNO_IDEA
.else
OPENSSL_CFLAGS+=-DNO_IDEA
.endif
MAKE_ARGS+=             OPENSSL_CFLAGS="${OPENSSL_CFLAGS}"
.endif
#.endif
.else
LIB_DEPENDS+=   crypto.2:${PORTSDIR}/security/openssl
OPENSSLBASE?=   ${LOCALBASE}
OPENSSLDIR?=    ${OPENSSLBASE}/openssl
.endif
OPENSSLLIB=             ${OPENSSLBASE}/lib
OPENSSLINC=             ${OPENSSLBASE}/include
MAKE_ENV+=              OPENSSLLIB=${OPENSSLLIB}
OPENSSLINC=${OPENSSLINC} \
                                OPENSSLBASE=${OPENSSLBASE}
OPENSSLDIR=${OPENSSLDIR}
.endif

--END

I am not used to working with make, so I presume there should be a
more elegant way of handling this. I thought that it would be worth
passing along and seeing what you folks had to say about it.

Thank you,
Nathan

-- 
Nathan Gardner <nathan@InWa.net> : System Administrator & Technosattva

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message