From owner-freebsd-ports@freebsd.org Sun Aug 19 11:31:23 2018 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CF340108A564 for ; Sun, 19 Aug 2018 11:31:23 +0000 (UTC) (envelope-from brnrd@freebsd.org) Received: from smtp02.qsp.nl (smtp02.qsp.nl [193.254.214.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6759172606 for ; Sun, 19 Aug 2018 11:31:23 +0000 (UTC) (envelope-from brnrd@freebsd.org) Received: from smtp02.qsp.nl (localhost [127.0.0.1]) by smtp02.qsp.nl (Postfix) with ESMTP id 11B59791B; Sun, 19 Aug 2018 13:31:14 +0200 (CEST) Received: from mail.brnrd.eu (unknown [193.164.217.85]) by smtp02.qsp.nl (Postfix) with ESMTPSA; Sun, 19 Aug 2018 13:31:11 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=brnrd.eu; h=date:from:to:subject:message-id; s=default; bh=gegSv40VreyBr5Bfiad8l+UjioiAAqWN6h6N7Ah8GHE=; b=c+0oR9d2h8Mln7JeTeBISS3mXWKACQl7KPhyvISGofXwdaZY4vVm3L1S8XPmZSaepvRgvE1ahSc/tVfxb6yMX0xXvXpTgqVtuigeNa38dsJ8BaPSKEASWjRh2qSZDkKoxabxM3kdLrH+g+NHTI/wvkk3w0OU4lgiw75mptv2UvI/2vduD7ANwVQW5k+B/3RCODFYOFA25qY/ir61W9wB5KscQkByVjQWLZ6NDga97fq3Yt0owWnSMNnJUXi0gzlhtKKxo1kIJ00T4gYpiJ+sSAZT/WV40H2pS2gHuZ2bTMeV4BrmVB7jxXHtVAsaNBV8IXwL2M3rsKY0X+JKsmPV6A== Received: by brnrd.eu (OpenSMTPD) with ESMTPSA id 6e9399eb TLS version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO; Sun, 19 Aug 2018 13:31:11 +0200 (CEST) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Sun, 19 Aug 2018 13:31:11 +0200 From: Bernard Spil To: Dewayne Geraghty Cc: freebsd-ports@freebsd.org Subject: Re: Moving / renaming OpenSSL ports In-Reply-To: References: Message-ID: X-Sender: brnrd@freebsd.org User-Agent: Roundcube Webmail/1.3.7 X-SMTP-Virus-Scanned: clamav at smtp01 X-Spam-Status: No, score=0.6 required=5.0 tests=HK_RANDOM_ENVFROM, UNPARSEABLE_RELAY autolearn=disabled version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on svfilter01.qsp.nl X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Aug 2018 11:31:24 -0000 On 2018-08-19 0:25, Dewayne Geraghty wrote: > Bernard, > Given the silly way that the openssl crew have decided to name their > releases I think this is a good approach for the moment. I wonder how > they'll number an update to 1.1 :) (1.1A 1.2?) or what an update to > 1.1.1 - a rod for their own back, I think it a pity the TLS folks did > not use 2.0 rather than 1.3). > > I've used your wikis a great deal and have found your proactive > engagement a delight. > > Yes I still build all amd64 ports with libressl. I'm considering > migration to libressl-devel because I think this will remove some > security/libressl tweak complexity. ;) > > After reviewing your FOSDEM slides - > - yes there are ports that use base even when told not to, so for > libssl > | libcrtypo - I just remove them, though I do replace them with > symlinks. > - I hadn't seen this SSL_OP_SINGLE_DH_USE before. We regenerate DH on > a > daily basis in background, so for us its preferred. > - slide 17 - building without openssl creates deficient libarchive, > which is ok if you pull via curl and one of the archiver/ tar-like > files. Problematic for most users. > - thank-you for drawing my attention to this PRIVATELIB=true WOW! > Great! I'll also search ports for any use of USEPRIVATELIB so I can > remove the line ;) > - pkg is a problem. We rebuild required ports then remove all ports > (pkg delete -a), install (via tar) the key ones, then rebuild > everything. Convoluted but effective for our purposes > > Excellent presentation, summary of history and references. > > Kind regards, Dewayne > ps I use security/heimdal ports for all production servers, we build > 1200+ ports each month - it catches a lot of mismatches. The > recommendation to use MIT for anything is unfortunate - why provide the > US the opportunity for additional sanctions :) I've found heimdal to > be > ridiculously stable in production AND predictable. Hi Dewayne, Thanks for your response! Waiting for some more people to chime in before I pull any triggers. As for libressl-devel, there's no ABI changes sofar and I haven't really seen any benefits of using 2.8 over 2.7 sofar. Have you seen anything specific? Heimdal is one of the blockers for updating OpenSSL to 1.1 in base :D Cheers, Bernard.