From owner-freebsd-ports@freebsd.org Fri Jul 8 10:04:34 2016 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B3D63B76A7A for ; Fri, 8 Jul 2016 10:04:34 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from host64.kissl.de (host64.kissl.de [213.239.241.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "*.shmhost.net", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7D5AC1E55; Fri, 8 Jul 2016 10:04:33 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from [10.0.128.106] (dslb-092-078-013-119.092.078.pools.vodafone-ip.de [92.78.13.119]) (Authenticated sender: web104p1) by host64.kissl.de (Postfix) with ESMTPSA id 252CB67E37; Fri, 8 Jul 2016 12:04:23 +0200 (CEST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: [HEADSUP] change in default openssl coming From: Franco Fichtner In-Reply-To: Date: Fri, 8 Jul 2016 12:04:34 +0200 Cc: FreeBSD Ports , mat@FreeBSD.org Content-Transfer-Encoding: quoted-printable Message-Id: <9376B165-E918-45C7-9B84-60D634E37A1B@lastsummer.de> References: To: Mark Millard X-Mailer: Apple Mail (2.3124) X-Virus-Scanned: clamav-milter 0.99 at host64.kissl.de X-Virus-Status: Clean X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2016 10:04:34 -0000 > On 08 Jul 2016, at 11:45 AM, Mark Millard wrote: >=20 > Mathieu Arnold mat at FreeBSD.org wrote on Fri Jul 8 06:26:33 UTC = 2016: >=20 >> I will be changing the >> default OpenSSL for the ports tree from the base system version to >> security/openssl. >=20 >=20 > This could be odd for something like ports-mgmt/pkg if it currently = uses the base system version: needing to have had already built = security/openssl in order to build/use pkg. This needs to be built against base if it doesn't want to bundle the library. On a slightly related note, bapt@ added that pkg(8) doesn't necessarily need OpenSSL, but the implementation of required algorithms are faster than available alternatives. And it's just that OpenSSL is such a large project that bundling makes it difficult. A large portion of work in early 2015 focused on making OpenSSL ports build dependencies reliable, because LibreSSL from ports wasn't really working as many ports supposedly using OpenSSL from ports were using OpenSSL from base. Things have changed considerably in 1.5 years. I think the main motivation here is: fixing security issues faster and depending less on base where possible to allow major upgrades to take place of said SSL libraries. The other one was that base OpenSSL should be more private, for that same reason or another. As another example of how this might be useful: HardenedBSD can build LibreSSL base, but for people still needing OpenSSL in order not to jeopardise their job security the default of using the ports version would be the way to go. On OPNsense, we even build parallel tracks for OpenSSL and LibreSSL from ports and it's therefore possible to migrate from one track to the other as pkg(8) thinks it's upgrading to a new version where shared library dependencies changed. ;) I think what's bad now is that the SSL port chosen is exclusive to the repository due to files installed. Switching to OpenSSL from ports will prevent ports that do depend on LibreSSL's shared library libtls.so from working, because OpenSSL is so deeply tied into today's software that it will be on almost any default installation. Cheers, Franco=