Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 06 Apr 2016 00:28:28 +0200
From:      Michelle Sullivan <michelle@sorbs.net>
To:        =?UTF-8?Q?Martin_Waschb=c3=bcsch?= <martin@waschbuesch.de>
Cc:        ports@freebsd.org, Kurt Jaeger <lists@opsec.eu>
Subject:   Re: Committer needed for PR 208029
Message-ID:  <57043C0C.6070502@sorbs.net>
In-Reply-To: <C96569DA-ADC5-4BE0-819A-7375C3F50D8E@waschbuesch.de>
References:  <498CA3F8-15EF-45BD-880C-241F83CBE3DD@waschbuesch.de> <20160405185159.GK35640@home.opsec.eu> <20160405200835.GM35640@home.opsec.eu> <57042958.5010701@sorbs.net> <C96569DA-ADC5-4BE0-819A-7375C3F50D8E@waschbuesch.de>

next in thread | previous in thread | raw e-mail | index | archive | help
Martin Waschbüsch wrote:
>> Umm probably a really bad idea...  consider this or something more creative/descriptive:
>>
>> .if ${OPSYS} == FreeBSD && ${OSVERSION} < 1000000 && ${WITH_OPENSSL_PORT} != "yes"
>> BROKEN=		You must set WITH_OPENSSL_PORT=yes in /etc/make.conf on Pre 10.x
>> .endif
>>
>>
>> ... the idea instead of silently turning it on which could cause a myriad of hell for production systems where some ports are compiled against security/openssl and some against the base openssl... stop the compile and tell the user what they have to do to resolve it... which will then make anything else use the same openssl and lessen the dependency/library issues that could happen.
> Actually, I just noticed (when compiling the port), that the Makefile now says:
>
> WITH_OPENSSL_PORT=yes
>
> GNUTLS_CONFIGURE_WITH=  gnutls
> GNUTLS_LIB_DEPENDS=     libgnutls.so:security/gnutls
>
> POLARSSL_CONFIGURE_WITH=mbedtls
> POLARSSL_LIB_DEPENDS=   libmbedtls.so:security/polarssl13
>
> .include <bsd.port.options.mk>
>
> .if ${OPSYS} == FreeBSD && ${OSVERSION} < 1000000
> WITH_OPENSSL_PORT=yes
> .endif
>
> Which means that the ports version is used regardless of OSVERSION...
Yup... which is so much worse in so many other ways.. (IMHO) ... I mean 
why would you want to turn on openssl in any way if you have gnutls or 
polarssl on...  I suspect the whole set of options and way its 
configured should be looked at a little more closely and have an option 
openssl as well ... or at least the broken= so that it will inform the 
user if the wrong version of openssl is attempted... and considering 
FreeBSD policy over base libraries and major releases maybe an option to 
set for including the ports version of openssl as well (so that a 
compile on 10.x while may work, if there is a security issue the 
prompting for openssl from ports will allow a person to patch up without 
necessarily knowing the significance... you know give the users a chance 
rather than leaving it to the FreeBSD Devs to say you are better off 
doing what we tell you.)

>
> Shall I open a PR for it and incorporate the BROKEN= approach?
>
I'm not the right person to ask over that question, I'm just throwing a 
suggestion on how you might consider handling it and other similar 
issues in ways that are a lot more useful and less error/dependency 
prone.  Bad things/assumptions in makefiles end up with version lock-in 
and/or broken linking/compiles when something needs to be upgraded... 
and the all singing all dancing pkg system is no better than the old 
system of pkg_add when it comes to these problems (in fact in some ways 
its worse... because it tries to do the right thing when the right thing 
is actually impossible until someone changes compile options.)

-- 
Michelle Sullivan
http://www.mhix.org/




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?57043C0C.6070502>