Date: Wed, 06 Apr 2016 00:28:28 +0200 From: Michelle Sullivan <michelle@sorbs.net> To: =?UTF-8?Q?Martin_Waschb=c3=bcsch?= <martin@waschbuesch.de> Cc: ports@freebsd.org, Kurt Jaeger <lists@opsec.eu> Subject: Re: Committer needed for PR 208029 Message-ID: <57043C0C.6070502@sorbs.net> In-Reply-To: <C96569DA-ADC5-4BE0-819A-7375C3F50D8E@waschbuesch.de> References: <498CA3F8-15EF-45BD-880C-241F83CBE3DD@waschbuesch.de> <20160405185159.GK35640@home.opsec.eu> <20160405200835.GM35640@home.opsec.eu> <57042958.5010701@sorbs.net> <C96569DA-ADC5-4BE0-819A-7375C3F50D8E@waschbuesch.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Martin Waschbüsch wrote:
>> Umm probably a really bad idea... consider this or something more creative/descriptive:
>>
>> .if ${OPSYS} == FreeBSD && ${OSVERSION} < 1000000 && ${WITH_OPENSSL_PORT} != "yes"
>> BROKEN= You must set WITH_OPENSSL_PORT=yes in /etc/make.conf on Pre 10.x
>> .endif
>>
>>
>> ... the idea instead of silently turning it on which could cause a myriad of hell for production systems where some ports are compiled against security/openssl and some against the base openssl... stop the compile and tell the user what they have to do to resolve it... which will then make anything else use the same openssl and lessen the dependency/library issues that could happen.
> Actually, I just noticed (when compiling the port), that the Makefile now says:
>
> WITH_OPENSSL_PORT=yes
>
> GNUTLS_CONFIGURE_WITH= gnutls
> GNUTLS_LIB_DEPENDS= libgnutls.so:security/gnutls
>
> POLARSSL_CONFIGURE_WITH=mbedtls
> POLARSSL_LIB_DEPENDS= libmbedtls.so:security/polarssl13
>
> .include <bsd.port.options.mk>
>
> .if ${OPSYS} == FreeBSD && ${OSVERSION} < 1000000
> WITH_OPENSSL_PORT=yes
> .endif
>
> Which means that the ports version is used regardless of OSVERSION...
Yup... which is so much worse in so many other ways.. (IMHO) ... I mean
why would you want to turn on openssl in any way if you have gnutls or
polarssl on... I suspect the whole set of options and way its
configured should be looked at a little more closely and have an option
openssl as well ... or at least the broken= so that it will inform the
user if the wrong version of openssl is attempted... and considering
FreeBSD policy over base libraries and major releases maybe an option to
set for including the ports version of openssl as well (so that a
compile on 10.x while may work, if there is a security issue the
prompting for openssl from ports will allow a person to patch up without
necessarily knowing the significance... you know give the users a chance
rather than leaving it to the FreeBSD Devs to say you are better off
doing what we tell you.)
>
> Shall I open a PR for it and incorporate the BROKEN= approach?
>
I'm not the right person to ask over that question, I'm just throwing a
suggestion on how you might consider handling it and other similar
issues in ways that are a lot more useful and less error/dependency
prone. Bad things/assumptions in makefiles end up with version lock-in
and/or broken linking/compiles when something needs to be upgraded...
and the all singing all dancing pkg system is no better than the old
system of pkg_add when it comes to these problems (in fact in some ways
its worse... because it tries to do the right thing when the right thing
is actually impossible until someone changes compile options.)
--
Michelle Sullivan
http://www.mhix.org/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?57043C0C.6070502>