From nobody Sun Jul 30 10:35:28 2023 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RDHnx6Hmkz4q8hS for ; Sun, 30 Jul 2023 10:35:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RDHnv2vzgz3wqS for ; Sun, 30 Jul 2023 10:35:31 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1690713331; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=BT7Ow7PAtUsqrLLSA5fBIYWLyFG7bzDIY93DOtbxbe8=; b=c1Yh2M6iZghIMjaOusIDumn8MwSiPcpNEHBqO7BzvQn77dTXaOxzhNlwt8AIeXyI3nnSSr RPzQESy/SjnhULPmDzj0YAnmBPXAfrvpHBGENOT+PJ6RA+kMTA+A8nn67a9NZWYsfUZnSK UXO+yrEmesHHYEm96W1DV46ncPlsKlXuD/DkYqg7h6jUBbLxlEk/xw8QrU77jr+0sjm68p 4phkwz2VjzW4Rh8ZJW2ANGM5gP+XTn9ChD2KtjSRqvBMlGq/Hw7As/Z+D1RppdJ9VagF0C W0/yWTS2UNV9TUqBZGgpsQYD8kwK1ATrPCMAwMiHB1tzz4iLz875hyfpfTgEcg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1690713331; a=rsa-sha256; cv=none; b=iQeJtcrTy0bNsi/w1JvidX3/cTN3JulmaJxwNPKd1C18qxqnC1GTBvy7nRnmsEBR2KIMcU Pf9VKksa6yJAxCAaC94K+3yPDFU5gGD7X7vpWYi+R6bojtziSUodaFCxaZexfh3Z1qW3Qq pAj/kfwzssOqmPb2KB0SlNCvDppe2+qnqhNUZzC1O7kDoRVSQARD6Nxd6KCdS9oEEe8ICy k6bxqzK3edsv0zl3nl0sXjU9zzpggtUYyuw4DZYXiBC6DjlcyZX6vGXJvRpQ//PPMekVrr GSS/KHP9Q5loBAtkRE22PIpCJp0pthBLk3lytYuFMG5LYdKTITI3/ZMRpx70zA== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RDHns22K9z1B1S for ; Sun, 30 Jul 2023 10:35:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 36UAZS1j077481 for ; Sun, 30 Jul 2023 10:35:28 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 36UAZSJj077480 for bugs@FreeBSD.org; Sun, 30 Jul 2023 10:35:28 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 272816] pkgbase: caroot and openssl packages need reorganising Date: Sun, 30 Jul 2023 10:35:28 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: misc X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: dfr@rabson.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D272816 Bug ID: 272816 Summary: pkgbase: caroot and openssl packages need reorganising Product: Base System Version: 13.1-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: misc Assignee: bugs@FreeBSD.org Reporter: dfr@rabson.org A popular base container image for linux containers is the distroless famil= y of images (https://github.com/GoogleContainerTools/distroless). For statically linked openssl based programs, there is a very small 'static' image which contains just certificates and a few config files. For dynamica= lly linked program support there is also 'base' which adds in base system dynam= ic libs as well as openssl libs. These help to reduce the attack surface on the inside of the container as well as reducing the raw image size. Trying to use pkgbase to build something like distroless-static isn't curre= ntly possible since the FreeBSD-caroot package which contains the certificates a= lso depends on FreeBSD-openssl which has all the ssl dynamic libs. Building something like distroless-base is almost possible but FreeBSD-openssl also installs the openssl utility which isn't wanted and is ~0.7Mb in size. Perhaps FreeBSD-caroot could split out the certificates into another packag= e or possibly just not depend on FreeBSD-openssl? To avoid installing /usr/bin/openssl when adding SSL dynamic libs, perhaps FreeBSD-openssl could split out the libs into FreeBSD-openssl-libs? --=20 You are receiving this mail because: You are the assignee for the bug.=