From owner-freebsd-arch@FreeBSD.ORG Thu May 15 12:35:02 2003 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 932D737B401 for ; Thu, 15 May 2003 12:35:02 -0700 (PDT) Received: from falcon.midgard.homeip.net (h76n3fls20o913.telia.com [213.67.148.76]) by mx1.FreeBSD.org (Postfix) with SMTP id 57AB143F75 for ; Thu, 15 May 2003 12:35:00 -0700 (PDT) (envelope-from ertr1013@student.uu.se) Received: (qmail 19658 invoked by uid 1001); 15 May 2003 19:34:58 -0000 From: Erik Trulsson To: Dag-Erling Smorgrav Message-ID: <20030515193457.GA19619@falcon.midgard.homeip.net> Mail-Followup-To: Dag-Erling Smorgrav , arch@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.4i cc: arch@freebsd.org Subject: Re: NOCRYPT / NOSECURE X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Thu, 15 May 2003 19:35:02 -0000 X-Original-Date: Thu, 15 May 2003 21:34:57 +0200 X-List-Received-Date: Thu, 15 May 2003 19:35:02 -0000 On Thu, May 15, 2003 at 04:20:08PM +0200, Dag-Erling Smorgrav wrote: > I just tried to run a tinderbox with NOCRYPT and NOSECURE (but not > NO_OPENSSL) defined. It failed because there are Makefiles > (games/factor was the one that broke the build, but glimpse(1) tells > me there are others) which check NO_OPENSSL and / or NOCRYPT but not > NOSECURE. > > NOSECURE is a meaningless subset of NOCRYPT. It means "don't descend > into src/secure", but that's equivalent to NOCRYPT because a) we don't > descend into src/secure if NOCRYPT is set and b) the only significant > stuff which NOCRYPT disables but NOSECURE doesn't is Kerberos, which > requires OpenSSL, which isn't built in the NOSECURE case, so there's > no way we can build world with NOSECURE but not NOCRYPT. > > I would therefore like to remove NOSECURE, preferably before 5.1. > > NO_OPENSSL is also a subset of NOCRYPT. There is so little that > builds with NO_OPENSSL but not with NOCRYPT that I think it might be > worthwhile to deprecate NO_OPENSSL and change the description of > NOCRYPT from "will prevent building of crypt versions" to "do not > build crypto-related software" NO_OPENSSL would seem to be useful after doing 'make -DOPENSSL_OVERWRITE_BASE install' in the security/openssl port. I.e. NO_OPENSSL (as well as several of the other NO_xxx flags) make sure that you can replace some utilities with newer versions from ports without the next make world undoing all that. > > We also have something called libcipher which is only used by bdes(1); > the OpenSSL distribution contains a similar and AFAIK compatible > utility (src/crypto/openssl/crypto/des/des.c) which we don't currently > build. We should probably ditch both libcipher and bdes(1), and > perhaps add OpenSSL's des(1) to the build if our users really want it, > though 'ln -s /usr/bin/openssl /usr/bin/des' goes a long way. -- Erik Trulsson ertr1013@student.uu.se