From owner-freebsd-ports@FreeBSD.ORG Wed Apr 14 10:56:04 2004 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 13DEF16A4CF; Wed, 14 Apr 2004 10:56:04 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 780B643D5C; Wed, 14 Apr 2004 10:56:03 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (not verified)) by gw.celabo.org (Postfix) with ESMTP id 456BF5482B; Wed, 14 Apr 2004 12:56:02 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id E559B6D455; Wed, 14 Apr 2004 12:56:01 -0500 (CDT) Date: Wed, 14 Apr 2004 12:56:01 -0500 From: "Jacques A. Vidrine" To: "Bjoern A. Zeeb" Message-ID: <20040414175601.GF98765@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , "Bjoern A. Zeeb" , freebsd-ports@freebsd.org, dinoex@FreeBSD.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: dinoex@FreeBSD.org cc: freebsd-ports@freebsd.org Subject: Re: SA-04:05 single patch && bsd.openssl.mk problem X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Apr 2004 17:56:04 -0000 On Wed, Apr 14, 2004 at 05:49:25PM +0000, Bjoern A. Zeeb wrote: > Hi, > > when applying the patch from SA-04:05[1] and re-building changed parts > of the base system opensslv.h does not get altered with the update > like it did with the commits to the various branches [2]. Often the patch file will have changes to version strings elided in order to facilitate actual patching. > [1] ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-04:05/openssl.patch > [2] p.ex. http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/openssl/crypto/opensslv.h.diff?r1=1.1.1.1.2.8&r2=1.1.1.1.2.9 > > bsd.openssl.mk now doing a string compare on p.ex. "0.9.7a-p1" which > will fail. Thus ports that set USE_OPENSSL will depend on the > openssl package. > > This logic is broken as the base system is patched and the openssl > package is not needed. Put USE_OPENSSL_BASE=yes in /etc/make.conf to defeat bsd.openssl.mk's logic. > So the SA patches should also update the version strings in headers In general, this will be avoided. > - or more general commit the same parts (only) that get published > as single patches Providing patches really serves a different purpose than what you want. It is provided (a) to illustrate the actual problem; (b) to allow people who ``know what they are doing'' to patch their systems, even if they are running something quite different from stock FreeBSD. > (or even better the other way round: should publish > a complete single patch from what got previously committed). Since actual patches are in CVS, it makes little sense to duplicate them on the FTP site. > What short term solutions are there for people building ports > [ I do not really like any of those ] ? > > - setting USE_OPENSSL_BASE=yes seems to be a possible workaround > forcing the version of the base system and not the port to be used. > - patching the header file by hand is not a real solution but should > work too. > > - would it be possible to make the check in bsd.openssl.mk somehow > more intelligent to better detect a patched version ? > > - ... ? Use CVSup, CVS, or cvsweb to update your local files if you want to track security branches. Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org