Date: Fri, 8 Jul 2016 12:04:34 +0200 From: Franco Fichtner <franco@lastsummer.de> To: Mark Millard <markmi@dsl-only.net> Cc: FreeBSD Ports <freebsd-ports@freebsd.org>, mat@FreeBSD.org Subject: Re: [HEADSUP] change in default openssl coming Message-ID: <9376B165-E918-45C7-9B84-60D634E37A1B@lastsummer.de> In-Reply-To: <EF6BABB8-91E7-404C-90DE-432A55C95937@dsl-only.net> References: <EF6BABB8-91E7-404C-90DE-432A55C95937@dsl-only.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 08 Jul 2016, at 11:45 AM, Mark Millard <markmi@dsl-only.net> wrote: >=20 > Mathieu Arnold mat at FreeBSD.org wrote on Fri Jul 8 06:26:33 UTC = 2016: >=20 >> I will be changing the >> default OpenSSL for the ports tree from the base system version to >> security/openssl. >=20 >=20 > This could be odd for something like ports-mgmt/pkg if it currently = uses the base system version: needing to have had already built = security/openssl in order to build/use pkg. This needs to be built against base if it doesn't want to bundle the library. On a slightly related note, bapt@ added that pkg(8) doesn't necessarily need OpenSSL, but the implementation of required algorithms are faster than available alternatives. And it's just that OpenSSL is such a large project that bundling makes it difficult. A large portion of work in early 2015 focused on making OpenSSL ports build dependencies reliable, because LibreSSL from ports wasn't really working as many ports supposedly using OpenSSL from ports were using OpenSSL from base. Things have changed considerably in 1.5 years. I think the main motivation here is: fixing security issues faster and depending less on base where possible to allow major upgrades to take place of said SSL libraries. The other one was that base OpenSSL should be more private, for that same reason or another. As another example of how this might be useful: HardenedBSD can build LibreSSL base, but for people still needing OpenSSL in order not to jeopardise their job security the default of using the ports version would be the way to go. On OPNsense, we even build parallel tracks for OpenSSL and LibreSSL from ports and it's therefore possible to migrate from one track to the other as pkg(8) thinks it's upgrading to a new version where shared library dependencies changed. ;) I think what's bad now is that the SSL port chosen is exclusive to the repository due to files installed. Switching to OpenSSL from ports will prevent ports that do depend on LibreSSL's shared library libtls.so from working, because OpenSSL is so deeply tied into today's software that it will be on almost any default installation. Cheers, Franco=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9376B165-E918-45C7-9B84-60D634E37A1B>