From owner-freebsd-security@FreeBSD.ORG Mon Apr 28 14:12:03 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 08C58D75 for ; Mon, 28 Apr 2014 14:12:03 +0000 (UTC) Received: from fnord.ir.bbn.com (fnord.ir.bbn.com [IPv6:2001:4978:1fb:6400::d2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "fnord.ir.bbn.com", Issuer "ir.bbn.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id BB59E125A for ; Mon, 28 Apr 2014 14:12:02 +0000 (UTC) Received: by fnord.ir.bbn.com (Postfix, from userid 10853) id A4FF8A8BD; Mon, 28 Apr 2014 10:11:57 -0400 (EDT) From: Greg Troxel To: Paul Hoffman Subject: Re: ports requiring OpenSSL not honouring OpenSSL from ports References: <201404271508.s3RF8sMA014085@catnip.dyslexicfish.net> OpenPGP: id=32611E25 X-Hashcash: 1:20:140428:paul.hoffman@vpnc.org::1nhyYvR1gLCCe9CT:00000000000000000000000000000000000000002+8P X-Hashcash: 1:20:140428:freebsd-security@freebsd.org::zY4rPDwrYpmT5Gz1:0000000000000000000000000000000007et0 Date: Mon, 28 Apr 2014 10:11:55 -0400 In-Reply-To: (Paul Hoffman's message of "Sun, 27 Apr 2014 08:29:01 -0700") Message-ID: User-Agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/23.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature" Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2014 14:12:03 -0000 --=-=-= Content-Type: text/plain Paul Hoffman writes: > On Apr 27, 2014, at 8:08 AM, Jamie Landeg-Jones wrote: > >> Basically what I'm asking: Shouldn't a port that uses OpenSSL *always* >> build against the port if it's installed? > > Yes, that is a reasonable expectation. I certainly had it in my head > when I rebuilt Sendmail+TLS after heartbleed, but I didn't think of > checking it. I can see your point, but simply using a package that is installed violates one of the basic design points of packaging systems. The built package should not depend on the environment in ways that are not expressed within packaging metadata. In pkgsrc (NetBSD), pkgsrc openssl can be used. But, there is a calculated default (per platform) of whether the builtin version is good enough. Currently, netbsd-5's 0.9.9 is deemed too crufty (due to features; this is not about heartbleed). There are also variables to set to prefer/use pkgsrc openssl even if builtin is deemed adequate, for people that want to build that way. --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlNeYasACgkQ+vesoDJhHiVGcgCfbh9MImTC0roNC7UdepqGI9Ww lGAAoLekMldntoZDX4+ZYmta7pV3uknd =waHm -----END PGP SIGNATURE----- --=-=-=--