Date: Thu, 15 May 2003 19:35:02 -0000 From: Erik Trulsson <ertr1013@student.uu.se> To: Dag-Erling Smorgrav <des@ofug.org> Cc: arch@freebsd.org Subject: Re: NOCRYPT / NOSECURE Message-ID: <20030515193457.GA19619@falcon.midgard.homeip.net> In-Reply-To: <xzpr870mgvb.fsf@flood.ping.uio.no> References: <xzpr870mgvb.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, May 15, 2003 at 04:20:08PM +0200, Dag-Erling Smorgrav wrote: > I just tried to run a tinderbox with NOCRYPT and NOSECURE (but not > NO_OPENSSL) defined. It failed because there are Makefiles > (games/factor was the one that broke the build, but glimpse(1) tells > me there are others) which check NO_OPENSSL and / or NOCRYPT but not > NOSECURE. > > NOSECURE is a meaningless subset of NOCRYPT. It means "don't descend > into src/secure", but that's equivalent to NOCRYPT because a) we don't > descend into src/secure if NOCRYPT is set and b) the only significant > stuff which NOCRYPT disables but NOSECURE doesn't is Kerberos, which > requires OpenSSL, which isn't built in the NOSECURE case, so there's > no way we can build world with NOSECURE but not NOCRYPT. > > I would therefore like to remove NOSECURE, preferably before 5.1. > > NO_OPENSSL is also a subset of NOCRYPT. There is so little that > builds with NO_OPENSSL but not with NOCRYPT that I think it might be > worthwhile to deprecate NO_OPENSSL and change the description of > NOCRYPT from "will prevent building of crypt versions" to "do not > build crypto-related software" NO_OPENSSL would seem to be useful after doing 'make -DOPENSSL_OVERWRITE_BASE install' in the security/openssl port. I.e. NO_OPENSSL (as well as several of the other NO_xxx flags) make sure that you can replace some utilities with newer versions from ports without the next make world undoing all that. > > We also have something called libcipher which is only used by bdes(1); > the OpenSSL distribution contains a similar and AFAIK compatible > utility (src/crypto/openssl/crypto/des/des.c) which we don't currently > build. We should probably ditch both libcipher and bdes(1), and > perhaps add OpenSSL's des(1) to the build if our users really want it, > though 'ln -s /usr/bin/openssl /usr/bin/des' goes a long way. -- <Insert your favourite quote here.> Erik Trulsson ertr1013@student.uu.se
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030515193457.GA19619>