Date: Tue, 14 Jul 2015 10:45:53 +1000 From: Dewayne Geraghty <dewayne.geraghty@consciuminternational.com.au> To: Matt Smith <fbsd@xtaz.co.uk> Cc: FreeBSD Stable Mailing List <freebsd-stable@freebsd.org> Subject: Re: WITHOUT_OPENSSL and make delete-old Message-ID: <55A45BC1.7000004@consciuminternational.com.au> In-Reply-To: <20150713140352.GB1284@xtaz.uk> References: <20150713140352.GB1284@xtaz.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On 14/07/2015 12:03 AM, Matt Smith wrote: > Hi, I use the ports version of OpenSSL for everything and don't > require the base version. As a result I thought I would remove it by > adding WITHOUT_OPENSSL into /etc/src.conf and running make delete-old > in /usr/src. However this seems to only want to delete things related > to kerberos and gssapi, which is understandable as they depend on > OpenSSL. However it doesn't seem to touch any OpenSSL files at all. > Is this a bug or have I missed something? > > Matt, I've been down that road. And for a few years, I installed openssl port over openssl base. But things have changed a lot, geli uses openssl headers, libarchive (hence tar, cpio) and libarchive need openssl; and of course kerberos, openssh). Also, if you remove gssapi then you won't be build gssd (used for kernel/NFS gssapi). The way I "get around" this issue is to build a base system that uses base openssl to build the necessary "base" components, using WITHOUT_[KERBEROS,OPENSSH]. Using this base system, I build a couple of jails, which are used to build the ports. For these jails I remove any remnants of base openssl. Then I'm able to build everything and install onto the production servers only what they need. (Pay attention to where base openssl places libcom_err.*, it sometimes slips through. I have a PR for this; and a build script removes it). What you loose? The FreeBSD version of openssl is tweaked by very knowledgeable members (both Dag-Erling Smorgrav and John-Mark Gurney et al), so you may want to examine their changes. There is/was talk about making base openssl - "private" which I believe will accomplish the same result: base openssl for the base system, and port openssl for port building. I don't have details or timeline for these changes. Why did I bother? Historically - I installed heimdal 1.0.1 while base heimdal was at 0.6.3. And for my use case: no nfs, needed additional ciphers (at the time) and a slightly different attack surface; my build system works. :) I hope I've save you some time. Regards, Dewayne. -- For the talkers: “The superior man acts before he speaks, and afterwards speaks according to his action.” For everyone else: “Life is really simple, but we insist on making it complicated.”
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55A45BC1.7000004>