Date: Wed, 14 Apr 2004 12:56:01 -0500 From: "Jacques A. Vidrine" <nectar@FreeBSD.org> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: freebsd-ports@freebsd.org Subject: Re: SA-04:05 single patch && bsd.openssl.mk problem Message-ID: <20040414175601.GF98765@madman.celabo.org> In-Reply-To: <Pine.BSF.4.53.0404141708380.9278@e0-0.zab2.int.zabbadoz.net> References: <Pine.BSF.4.53.0404141708380.9278@e0-0.zab2.int.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Apr 14, 2004 at 05:49:25PM +0000, Bjoern A. Zeeb wrote: > Hi, > > when applying the patch from SA-04:05[1] and re-building changed parts > of the base system opensslv.h does not get altered with the update > like it did with the commits to the various branches [2]. Often the patch file will have changes to version strings elided in order to facilitate actual patching. > [1] ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-04:05/openssl.patch > [2] p.ex. http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/openssl/crypto/opensslv.h.diff?r1=1.1.1.1.2.8&r2=1.1.1.1.2.9 > > bsd.openssl.mk now doing a string compare on p.ex. "0.9.7a-p1" which > will fail. Thus ports that set USE_OPENSSL will depend on the > openssl package. > > This logic is broken as the base system is patched and the openssl > package is not needed. Put USE_OPENSSL_BASE=yes in /etc/make.conf to defeat bsd.openssl.mk's logic. > So the SA patches should also update the version strings in headers In general, this will be avoided. > - or more general commit the same parts (only) that get published > as single patches Providing patches really serves a different purpose than what you want. It is provided (a) to illustrate the actual problem; (b) to allow people who ``know what they are doing'' to patch their systems, even if they are running something quite different from stock FreeBSD. > (or even better the other way round: should publish > a complete single patch from what got previously committed). Since actual patches are in CVS, it makes little sense to duplicate them on the FTP site. > What short term solutions are there for people building ports > [ I do not really like any of those ] ? > > - setting USE_OPENSSL_BASE=yes seems to be a possible workaround > forcing the version of the base system and not the port to be used. > - patching the header file by hand is not a real solution but should > work too. > > - would it be possible to make the check in bsd.openssl.mk somehow > more intelligent to better detect a patched version ? > > - ... ? Use CVSup, CVS, or cvsweb to update your local files if you want to track security branches. Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040414175601.GF98765>