Date: Fri, 8 Jul 2016 11:15:32 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-ports@freebsd.org Subject: Re: [HEADSUP] change in default openssl coming Message-ID: <cdceb857-11a2-4cbe-8340-464af53aa98b@freebsd.org> In-Reply-To: <EF6BABB8-91E7-404C-90DE-432A55C95937@dsl-only.net> References: <EF6BABB8-91E7-404C-90DE-432A55C95937@dsl-only.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--4G7AeKsWteDmJitCGC9QxptJagO7p8CTc
Content-Type: multipart/mixed; boundary="CKeMTNnbESLUUNLcwDL6Nt0FJgX5xIFMV"
From: Matthew Seaman <matthew@freebsd.org>
To: freebsd-ports@freebsd.org
Message-ID: <cdceb857-11a2-4cbe-8340-464af53aa98b@freebsd.org>
Subject: Re: [HEADSUP] change in default openssl coming
References: <EF6BABB8-91E7-404C-90DE-432A55C95937@dsl-only.net>
In-Reply-To: <EF6BABB8-91E7-404C-90DE-432A55C95937@dsl-only.net>
--CKeMTNnbESLUUNLcwDL6Nt0FJgX5xIFMV
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
On 07/08/16 10:45, Mark Millard wrote:
> Mathieu Arnold mat at FreeBSD.org wrote on Fri Jul 8 06:26:33 UTC 2016:=
>=20
>> > I will be changing the
>> > default OpenSSL for the ports tree from the base system version to
>> > security/openssl.
>=20
> This could be odd for something like ports-mgmt/pkg if it currently
> uses the base system version: needing to have had already built
> security/openssl in order to build/use pkg.
>=20
> pkg tends to depend on the base system or have its own copies of
> things so that it is largely self contained --at lest that is my
> general understanding.
>=20
> I'm only using ports-mgmt/pkg as an illustration of an idea: I might
> be wrong about it using openssl for example. There might be other
> things besides ports-mgmt/pkg that might have such a relationship to
> the base system, sort of a bootstrapping issue.
>=20
> I'll note that I sometimes use powerpc and/or powerpc64 where
> source-based builds are required: no binary distributions are
> generally available for ports for them.
Yes -- that is a problem with pkg(8). We don't want pkg(8) to have any
dependencies on other packages (outside of the base system), as that
complicates bootstrapping. So there are three possible solutions here:
* Use a statically linked version of pkg(8). This is already done
for bootstrapping pkg itself, but it's not favoured in general as
static linkage prevents some of the other pkg functionality
working.
* Move pkg into the base system. This is probably going to happen
eventually, but the reasons for keeping pkg(8) separate are still
valid: if pkg(8) development is tied to the OS release cycle, and
consequently there are numerous different versions in use, it's
going to slow down development, make supporting all the different
OS release versions with binary packages much harder and make it
much more difficult to push out bug fixes to pkg(8) specifically.
* Make an exception for pkg(8) and allow it to continue using SSL
libraries from the base system.
* Import some sort of SSL library directly into the pkg(8) sources,
in the same way that pkg(8) already pulls in libfetch and sqlite3.
One of the last two is going to be the solution for the foreseeable
future, with the 'move pkg(8) into base' solution being a much longer
term goal, once the pace of development on pkg(8) has stabilized.
Pkg(8) really is an exception here though. Once pkg(8) is in place,
then *any* *other* package can be handled with whatever arbitrarily
complicated dependency tree is required. It's already possible to
compile your own ports against the ports version of openssl or even to
use libressl instead. Works like a charm, and switching between any of
these scenarios is something that pkg(8) already handles gracefully for
you. (I speak from experience.) The only concern is people being too
timid to update everything that needs this treatment at once -- in which
case there are some unusual scenarios in which you could get two
different copies of openssl shlibs dynamically loaded into one program
image, and that generally results in instant program abort and core
dump. The Kerberos libs Mat mentioned are simply the most prominent
example of that sort of thing in the ports at the moment.
Cheers,
Matthew
--CKeMTNnbESLUUNLcwDL6Nt0FJgX5xIFMV--
--4G7AeKsWteDmJitCGC9QxptJagO7p8CTc
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXf31NAAoJEABRPxDgqeTnWqoP/iNGtB2vAYHhpb7d75K+8kQN
JRlvzqUGHa+oU+Vn8I/hD2fFaQahjwbHB0qXrnkpP30qOSVnbVe3gm2BlB+qKsk/
IQlyhtMcRp6cFp6CbuwvHDE6sqG2PGPdpYqrufAVhhG8BfOyvdkrOvXjFfhZMnLG
kjGz1Dukh3ej6JJwae7JYVeLNB9f804jjDAV3eQsTCdmDcGQzXFTbax6fIq1b1qD
jCvWqIc0NAC0jys6DKgvu0rD7iSWMAIbRvN2no/ECZQeslAm77D3w5d/Cx4eBgVI
DQ4A4Y0TqqJPvgLVqYybhuO9cG5sY2Lkcu0cDv2Vz86P5RR5O4wohGGQw9ZMD2Uv
1k+AtbrzYIbzV98z9L2wqAQM9mfFKEDVZ5hOGLaz8SVCEnwrnHwwkztYiZllId7E
gv6ncuZW9vbwTmZwBt+uh1NlFQxg/o6h4hNv+lJHvqPMRkUQ5FBmaBG2RUwRIKko
913NBM3tePb18cS53QSGo73zQ0zIlBapmrk2pGQVL0dYyt5FXH3fGVukQADkyOPP
o2ZgYI6Yl5nvOpjz/a62mX3nIrtTmnlRudpvK+aGdc8FNggUO62084BXNbFszktE
hgS6YVXVK5IYX9IG5EGKCM1FG508ZD+TLMrj/hA8dr4nZasm1Ui8N+Gnz6GDQihX
B00iW+RjvRFW1P2KJyAa
=gZrd
-----END PGP SIGNATURE-----
--4G7AeKsWteDmJitCGC9QxptJagO7p8CTc--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cdceb857-11a2-4cbe-8340-464af53aa98b>