From owner-svn-ports-head@freebsd.org  Fri Dec  9 14:19:09 2016
Return-Path: <owner-svn-ports-head@freebsd.org>
Delivered-To: svn-ports-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 91349C6822B;
 Fri,  9 Dec 2016 14:19:09 +0000 (UTC)
 (envelope-from feld@FreeBSD.org)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com
 [66.111.4.28])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 6B5CE1D65;
 Fri,  9 Dec 2016 14:19:09 +0000 (UTC)
 (envelope-from feld@FreeBSD.org)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
 by mailout.nyi.internal (Postfix) with ESMTP id F0EB020821;
 Fri,  9 Dec 2016 09:19:01 -0500 (EST)
Received: from web4 ([10.202.2.214])
 by compute3.internal (MEProxy); Fri, 09 Dec 2016 09:19:01 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=
 messagingengine.com; h=content-transfer-encoding:content-type
 :date:from:in-reply-to:message-id:mime-version:references
 :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=smtpout; bh=yi
 mIXyDopIvu7UKDYToDliIPDLg=; b=UzoahSk1c2Ab+tC36fsPgX5y8RCuTRBvCY
 GC+jYzcVTmIEBiLSsJj77Sbr2lj/7tELTRa78JUNWT+kPL3KqmAIGST7DhPRGwe1
 24bISJ9h5sGhnLRwXNJxQul3nTjufrk83GLB9GscpxVfMXwzQ8NW32/PJn9ag7sK
 vtUrK8fdw=
X-ME-Sender: <xms:Vb1KWMNuGI-o-L9Lg4AtROz1Ibwx79JYJFpHTaZ8oKhkIuITD_2sQQ>
Received: by mailuser.nyi.internal (Postfix, from userid 99)
 id CFB8BBAB40; Fri,  9 Dec 2016 09:19:01 -0500 (EST)
Message-Id: <1481293141.3621315.813810113.109D829E@webmail.messagingengine.com>
From: Mark Felder <feld@FreeBSD.org>
To: Mathieu Arnold <mat@FreeBSD.org>, ports-committers@freebsd.org,
 svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"
X-Mailer: MessagingEngine.com Webmail Interface - ajax-8c423a33
In-Reply-To: <4649c489-221b-8d65-acb5-6e75832bfc28@FreeBSD.org>
References: <201612081707.uB8H7Ntk058921@repo.freebsd.org>
 <4649c489-221b-8d65-acb5-6e75832bfc28@FreeBSD.org>
Subject: Re: svn commit: r428138 - head/security/py-cryptography
Date: Fri, 09 Dec 2016 08:19:01 -0600
X-BeenThere: svn-ports-head@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for the ports tree for head
 <svn-ports-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-head>, 
 <mailto:svn-ports-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-head/>
List-Post: <mailto:svn-ports-head@freebsd.org>
List-Help: <mailto:svn-ports-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-head>,
 <mailto:svn-ports-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Dec 2016 14:19:09 -0000



On Fri, Dec 9, 2016, at 04:12, Mathieu Arnold wrote:
> Le 08/12/2016 =C3=A0 18:07, Mark Felder a =C3=A9crit :
> > Author: feld
> > Date: Thu Dec  8 17:07:22 2016
> > New Revision: 428138
> > URL: https://svnweb.freebsd.org/changeset/ports/428138
> >
> > Log:
> >   security/py-pycryptography: Fix build on FreeBSD 9.3
> >=20=20=20
> >   Modern py-cryptography requires a more modern OpenSSL. This switch to
> >   requiring OpenSSL from ports is a disruptive change, but it will prot=
ect
> >   these users from the recently patched vulnerabilites.
> >=20=20=20
> >   Support for OpenSSL 0.9.8 was removed in pycryptography as of version=
 1.4.
> >   The last release to support OpenSSL 0.9.8 was 1.3.4 which is still
> >   vulnerable to the HDKF key generation bug. It appears that version 1.4
> >   did build successfully on FreeBSD 9.3, but upstream had abandoned
> >   support for OpenSSL 0.9.8 at that point so it is unclear if it was fu=
lly
> >   functional.
> >=20=20=20
> >   PR:		214915
> >   MFH:		2016Q4
> >
> > Modified:
> >   head/security/py-cryptography/Makefile
> >
> > Modified: head/security/py-cryptography/Makefile
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D
> > --- head/security/py-cryptography/Makefile	Thu Dec  8 17:05:45 2016	(r4=
28137)
> > +++ head/security/py-cryptography/Makefile	Thu Dec  8 17:07:22 2016	(r4=
28138)
> > @@ -27,6 +27,11 @@ USE_PYTHON=3D	autoplist distutils
> >  CFLAGS+=3D	-I${OPENSSLINC}
> >  LDFLAGS+=3D	-L${OPENSSLLIB}
> >=20=20
> > +# Modern py-cyptography requires newer OpenSSL
> > +.if ${OSVERSION} < 1000000
> > +WITH_OPENSSL_PORT=3D	yes
> > +.endif
> > +
>=20
> The correct fix is:
>=20
> .if ${OSVERSION} < 1000000 && ${SSL_DEFAULT:Mbase}
> IGNORE=3D Needs a more recent OpenSSL
> .endif
>=20

I was trying to avoid doing that because this means we won't have
packages on our mirrors for 9.3-RELEASE users. :(

--=20
  Mark Felder
  ports-secteam member
  feld@FreeBSD.org