From owner-freebsd-ports@freebsd.org Fri Jul 8 10:15:55 2016 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 62183B76D13 for ; Fri, 8 Jul 2016 10:15:55 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.117.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 07F351742 for ; Fri, 8 Jul 2016 10:15:54 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from ox-dell39.ox.adestra.com (unknown [85.199.232.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id EA031436C for ; Fri, 8 Jul 2016 10:15:49 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org Authentication-Results: smtp.infracaninophile.co.uk/EA031436C; dkim=none; dkim-atps=neutral Subject: Re: [HEADSUP] change in default openssl coming To: freebsd-ports@freebsd.org References: From: Matthew Seaman Message-ID: Date: Fri, 8 Jul 2016 11:15:32 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="4G7AeKsWteDmJitCGC9QxptJagO7p8CTc" X-Virus-Scanned: clamav-milter 0.99.2 at smtp.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-0.4 required=5.0 tests=BAYES_00,RDNS_NONE, SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on smtp.infracaninophile.co.uk X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2016 10:15:55 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --4G7AeKsWteDmJitCGC9QxptJagO7p8CTc Content-Type: multipart/mixed; boundary="CKeMTNnbESLUUNLcwDL6Nt0FJgX5xIFMV" From: Matthew Seaman To: freebsd-ports@freebsd.org Message-ID: Subject: Re: [HEADSUP] change in default openssl coming References: In-Reply-To: --CKeMTNnbESLUUNLcwDL6Nt0FJgX5xIFMV Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 07/08/16 10:45, Mark Millard wrote: > Mathieu Arnold mat at FreeBSD.org wrote on Fri Jul 8 06:26:33 UTC 2016:= >=20 >> > I will be changing the >> > default OpenSSL for the ports tree from the base system version to >> > security/openssl. >=20 > This could be odd for something like ports-mgmt/pkg if it currently > uses the base system version: needing to have had already built > security/openssl in order to build/use pkg. >=20 > pkg tends to depend on the base system or have its own copies of > things so that it is largely self contained --at lest that is my > general understanding. >=20 > I'm only using ports-mgmt/pkg as an illustration of an idea: I might > be wrong about it using openssl for example. There might be other > things besides ports-mgmt/pkg that might have such a relationship to > the base system, sort of a bootstrapping issue. >=20 > I'll note that I sometimes use powerpc and/or powerpc64 where > source-based builds are required: no binary distributions are > generally available for ports for them. Yes -- that is a problem with pkg(8). We don't want pkg(8) to have any dependencies on other packages (outside of the base system), as that complicates bootstrapping. So there are three possible solutions here: * Use a statically linked version of pkg(8). This is already done for bootstrapping pkg itself, but it's not favoured in general as static linkage prevents some of the other pkg functionality working. * Move pkg into the base system. This is probably going to happen eventually, but the reasons for keeping pkg(8) separate are still valid: if pkg(8) development is tied to the OS release cycle, and consequently there are numerous different versions in use, it's going to slow down development, make supporting all the different OS release versions with binary packages much harder and make it much more difficult to push out bug fixes to pkg(8) specifically. * Make an exception for pkg(8) and allow it to continue using SSL libraries from the base system. * Import some sort of SSL library directly into the pkg(8) sources, in the same way that pkg(8) already pulls in libfetch and sqlite3. One of the last two is going to be the solution for the foreseeable future, with the 'move pkg(8) into base' solution being a much longer term goal, once the pace of development on pkg(8) has stabilized. Pkg(8) really is an exception here though. Once pkg(8) is in place, then *any* *other* package can be handled with whatever arbitrarily complicated dependency tree is required. It's already possible to compile your own ports against the ports version of openssl or even to use libressl instead. Works like a charm, and switching between any of these scenarios is something that pkg(8) already handles gracefully for you. (I speak from experience.) The only concern is people being too timid to update everything that needs this treatment at once -- in which case there are some unusual scenarios in which you could get two different copies of openssl shlibs dynamically loaded into one program image, and that generally results in instant program abort and core dump. The Kerberos libs Mat mentioned are simply the most prominent example of that sort of thing in the ports at the moment. Cheers, Matthew --CKeMTNnbESLUUNLcwDL6Nt0FJgX5xIFMV-- --4G7AeKsWteDmJitCGC9QxptJagO7p8CTc Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJXf31NAAoJEABRPxDgqeTnWqoP/iNGtB2vAYHhpb7d75K+8kQN JRlvzqUGHa+oU+Vn8I/hD2fFaQahjwbHB0qXrnkpP30qOSVnbVe3gm2BlB+qKsk/ IQlyhtMcRp6cFp6CbuwvHDE6sqG2PGPdpYqrufAVhhG8BfOyvdkrOvXjFfhZMnLG kjGz1Dukh3ej6JJwae7JYVeLNB9f804jjDAV3eQsTCdmDcGQzXFTbax6fIq1b1qD jCvWqIc0NAC0jys6DKgvu0rD7iSWMAIbRvN2no/ECZQeslAm77D3w5d/Cx4eBgVI DQ4A4Y0TqqJPvgLVqYybhuO9cG5sY2Lkcu0cDv2Vz86P5RR5O4wohGGQw9ZMD2Uv 1k+AtbrzYIbzV98z9L2wqAQM9mfFKEDVZ5hOGLaz8SVCEnwrnHwwkztYiZllId7E gv6ncuZW9vbwTmZwBt+uh1NlFQxg/o6h4hNv+lJHvqPMRkUQ5FBmaBG2RUwRIKko 913NBM3tePb18cS53QSGo73zQ0zIlBapmrk2pGQVL0dYyt5FXH3fGVukQADkyOPP o2ZgYI6Yl5nvOpjz/a62mX3nIrtTmnlRudpvK+aGdc8FNggUO62084BXNbFszktE hgS6YVXVK5IYX9IG5EGKCM1FG508ZD+TLMrj/hA8dr4nZasm1Ui8N+Gnz6GDQihX B00iW+RjvRFW1P2KJyAa =gZrd -----END PGP SIGNATURE----- --4G7AeKsWteDmJitCGC9QxptJagO7p8CTc--