Date: Sun, 30 Jul 2023 10:35:28 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 272816] pkgbase: caroot and openssl packages need reorganising Message-ID: <bug-272816-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D272816 Bug ID: 272816 Summary: pkgbase: caroot and openssl packages need reorganising Product: Base System Version: 13.1-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: misc Assignee: bugs@FreeBSD.org Reporter: dfr@rabson.org A popular base container image for linux containers is the distroless famil= y of images (https://github.com/GoogleContainerTools/distroless). For statically linked openssl based programs, there is a very small 'static' image which contains just certificates and a few config files. For dynamica= lly linked program support there is also 'base' which adds in base system dynam= ic libs as well as openssl libs. These help to reduce the attack surface on the inside of the container as well as reducing the raw image size. Trying to use pkgbase to build something like distroless-static isn't curre= ntly possible since the FreeBSD-caroot package which contains the certificates a= lso depends on FreeBSD-openssl which has all the ssl dynamic libs. Building something like distroless-base is almost possible but FreeBSD-openssl also installs the openssl utility which isn't wanted and is ~0.7Mb in size. Perhaps FreeBSD-caroot could split out the certificates into another packag= e or possibly just not depend on FreeBSD-openssl? To avoid installing /usr/bin/openssl when adding SSL dynamic libs, perhaps FreeBSD-openssl could split out the libs into FreeBSD-openssl-libs? --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-272816-227>