From owner-freebsd-ports@freebsd.org Wed Feb 6 22:53:34 2019 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 95BD514B046A for ; Wed, 6 Feb 2019 22:53:34 +0000 (UTC) (envelope-from ncrogers@gmail.com) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id A50D688F79 for ; Wed, 6 Feb 2019 22:53:33 +0000 (UTC) (envelope-from ncrogers@gmail.com) Received: by mailman.ysv.freebsd.org (Postfix) id 5C27714B0468; Wed, 6 Feb 2019 22:53:33 +0000 (UTC) Delivered-To: ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 34B0A14B0467 for ; Wed, 6 Feb 2019 22:53:33 +0000 (UTC) (envelope-from ncrogers@gmail.com) Received: from mail-yw1-xc44.google.com (mail-yw1-xc44.google.com [IPv6:2607:f8b0:4864:20::c44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9FEC588F78 for ; Wed, 6 Feb 2019 22:53:32 +0000 (UTC) (envelope-from ncrogers@gmail.com) Received: by mail-yw1-xc44.google.com with SMTP id g194so3852442ywe.7 for ; Wed, 06 Feb 2019 14:53:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=W9yytkHvKPXvN0tjzmUnv3Y85pzxy5OMkJnKQcF7/1M=; b=qtN538d7a2u8hqbfzfroV6hXKbWoLB/Sm9vV9ZzmxnMdc7de3ALudxa2zqalm4+cve vZJS59BCMIQqZF3KhHiGZfcdl8oeiXSj3vOGEgYUYHkb2IfjBunArm0+2UZudbATjs/y rUHwODxnYwtNssnpL4Hw7bQNABc985nCVpTIoOehjMlJuDrTNJ2A/X4qHdLW9XZlX+2f yp/0ylDGUFdYeh3p5akjUc3GosGYIEOrctuFrjg3Dw63ycr6HfAgRZJp0szAcwldhqRo PZq+xszD+Rgh4/JGHf7xyKjkbPzad+lWooDgCkLh58tE2W/tX+qErAuIFuOUnTVrwiWE 7Aww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=W9yytkHvKPXvN0tjzmUnv3Y85pzxy5OMkJnKQcF7/1M=; b=hZCWWvG/2eNGjbrzvLiifgMUwyPYEjdKd/a41ss0gU3azFygwK+cmxW/GhM/05EDnm 1dJ3tu1ccjsugrkLMNjJR3rT0f00lZJWwtVLVARqybMTvkFzSGgQ7W+5gceSriy2ABRF OORTBfq7z6vW9KGqXXnV5Uh2cM4LM8eNVt73a2z5vaH15Vnf3dtuis4IsbdggxnoURCM PLr3EVexvEy2Rek6ZrWOfpllC75ZK98SGICxdYEleSIi+KrZDBhCo71bKLwWNbrWoys4 Jd3MMNJZR7YurGshUKMUbzVD6ICTmRyiibFnAgcbrscfDvPNMQlLf1eOvlK4x0uljm0S wB2A== X-Gm-Message-State: AHQUAuYKsG2s6Z8hi/6wdhSNcZ+VXBcZh9UNrD0xZOfIRKiR0nO826/4 sp04S2pM64avIYW8s+KuqxTHARXQ6DkNzZJxss0= X-Google-Smtp-Source: AHgI3IZJwIe/wdAG27nj9kqi0mHTRx2Wx40kiFM+T0t3ihZiwW8rkmcLZW1pUzRrPCN5egtUkYOK8Dw03voQzA2tJR0= X-Received: by 2002:a0d:eb8a:: with SMTP id u132mr10654904ywe.36.1549493611955; Wed, 06 Feb 2019 14:53:31 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Nick Rogers Date: Wed, 6 Feb 2019 17:53:20 -0500 Message-ID: Subject: Re: Using LibreSSL with only one or a subset of all installed ports To: Kevin Oberman Cc: "ports@FreeBSD.org" X-Rspamd-Queue-Id: 9FEC588F78 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.96 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.96)[-0.962,0]; REPLY(-4.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Feb 2019 22:53:34 -0000 On Wed, Feb 6, 2019 at 5:32 PM Nick Rogers wrote: > > > On Wed, Feb 6, 2019 at 1:59 PM Kevin Oberman wrote: > >> On Wed, Feb 6, 2019 at 7:55 AM Nick Rogers wrote: >> >>> I am wondering if it is wise or possible to use libressl for only a >>> single >>> installed port, while continuing to use OpenSSL from Base for all >>> remaining >>> installed ports. I would like to do this in order to get around the fact >>> that lang/phantomjs does not compile against openssl 1.1.x due to API >>> changes, and fixing it is less than trivial. However, I am not quite >>> ready >>> to switch other ports to LibreSSL. >>> >>> My thought was to use the following approach in make.conf when building >>> via >>> poudriere. >>> >>> .if ${.CURDIR:M*/lang/phantomjs} >>> DEFAULT_VERSIONS+= ssl=libressl >>> .endif >>> >>> I am hoping for some advice as to whether or not this will work, or if >>> its >>> a terrible idea, or if there is perhaps a better way to toggle libressl >>> per-port. All the port documentation I can find suggests an outright >>> switch >>> to libressl for all ports, so I am concerned there is something I am >>> missing that will not be happy? >>> >> >> Along this path lies madness! Not that it can't work, but it is very >> dangerous and likely to get more complicated over time. >> >> The problem is with having multiple sharable libraries (.so) of the same >> name. The loader will refuse to load an executable if it attempts to load >> two or more shareable libraries that have a common name as it is not >> possible to determine which library to use for any reverence. If phantomjs >> calls ssl routines directly and also is linked to a shareable that is >> linked to either the openssl port installed shareable or the base system >> shareable, the code will not load. As linkages grow more and more complex, >> this tends to turn into a real rats nest. >> >> I'm not saying that it can't be done, but you have to know all of the >> linkages and be very sure that there are no conflicts. >> > > Thanks for the input. I currently exclusively use OpenSSL in base, so I > was hoping there was something sane and similar to control using base vs. > security/openssl, like the WITH_OPENSSL_PORT and WITH_OPENSSL_BASE knobs, > only for libressl. It looks like security/openssl is still on 1.0, so I > might be able to get phantomjs working with security/openssl and continue > using base for other ports. > Now what I can't figure out is how to tell a specific port to use security/openssl and have others use base. The handbook implies that this is possible per-port with the WITH_OPENSSL_* knobs, but those have been deprecated in favor of the global DEFAULT_VERSIONS+= ssl=openssl approach. Anyone know how to correctly set ssl=openssl for a single port via make.conf? > > -- >> Kevin Oberman, Part time kid herder and retired Network Engineer >> E-mail: rkoberman@gmail.com >> PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 >> >