From owner-freebsd-ports@FreeBSD.ORG Thu Apr 9 16:14:13 2015 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D9F5353B; Thu, 9 Apr 2015 16:14:13 +0000 (UTC) Received: from mail-vn0-x230.google.com (mail-vn0-x230.google.com [IPv6:2607:f8b0:400c:c0f::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 848B5FA7; Thu, 9 Apr 2015 16:14:13 +0000 (UTC) Received: by vnbf1 with SMTP id f1so23386807vnb.5; Thu, 09 Apr 2015 09:14:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=dKBfWjjSyN4SvR5emc5QRw0gp/8c53VC66e9+DXoTXk=; b=iEu/eS17ATp9P6Dd1XO80vtM3S+iMUd6dC0jY37gAu5ujJq+ujnBzJX/m3eRnQoYJ5 zpJS69egWNpQNNnqQBPAnsRwDCEmQxlicqYVW3FQsrEnIjTKjJJdABkut8FYi6g2Xkm6 8ItjKFwwztmbc7/Xwj3QoSa6d2WwLjXN2rZjp5Lp6ReC97ZqBuUGv4w3N5avVadd+4dq HGkneyKwess/vuIVBFqTu1oVU0k6or3KIe6TQMAcvy7oj/Ydagc9jDHofVEKKX8t9O0q ajzNXrhYvGWARV9h6PuAii5ZJvHVjy699C7MqXjLz3lrd+lXm1Wwn6m9wWTR/l5sylLF MR5A== X-Received: by 10.52.157.72 with SMTP id wk8mr24206285vdb.12.1428596052683; Thu, 09 Apr 2015 09:14:12 -0700 (PDT) Received: from ivaldir.etoilebsd.net ([2001:41d0:8:db4c::1]) by mx.google.com with ESMTPSA id p12sm2652566vds.23.2015.04.09.09.14.10 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Apr 2015 09:14:11 -0700 (PDT) Sender: Baptiste Daroussin Date: Thu, 9 Apr 2015 18:14:07 +0200 From: Baptiste Daroussin To: Loganaden Velvindron Subject: Re: LibreSSL infects ports, causes problems Message-ID: <20150409161407.GU95321@ivaldir.etoilebsd.net> References: <5525E609.70402@FreeBSD.org> <20150409115942.GA81282@lorvorc.mips.inka.de> <20150409130521.GQ95321@ivaldir.etoilebsd.net> <20150409155345.GA87497@lorvorc.mips.inka.de> <20150409155649.GT95321@ivaldir.etoilebsd.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="gn1ylXQ+YRNuZICZ" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) Cc: Christian Weisgerber , FreeBSD ports , Bryan Drewery X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Apr 2015 16:14:13 -0000 --gn1ylXQ+YRNuZICZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 09, 2015 at 04:00:45PM +0000, Loganaden Velvindron wrote: > On Thu, Apr 9, 2015 at 3:56 PM, Baptiste Daroussin wro= te: > > On Thu, Apr 09, 2015 at 05:53:45PM +0200, Christian Weisgerber wrote: > >> Baptiste Daroussin: > >> > >> > Some how you have mixed up things between base openssl and libressl,= when > >> > starting to activate libressl if you are using ports only you have t= o be extra > >> > careful, (same goes with ncurses or ports openssl) just installing t= hose ports > >> > is enough to "pollute" nearly anything you build after with a depend= ency on it > >> > (well anything that does link to libssl, libcrypto) > >> > >> Well, yes, that's what I said. It's a bug. > >> > >> > If it very complicated and > >> > error prone to cherry pick "only take base openssl here, only ports = openssl > >> > there" the only "safe" way to solve this situation and being consist= ent is to > >> > always skip the version from base and enforce the version for ports.= (the > >> > otherway around is impossible - very complicated) > >> > >> And the addition of LibreSSL as a not-quite-equivalent alternative > >> to ports OpenSSL makes this even more complicated. You can expect > >> things coming out of OpenBSD (like new versions of net/openntpd) > >> to require LibreSSL, because it includes a new library libtls that > >> doesn't exist in OpenSSL. In the meantime, LibreSSL has removed > >> some of the more horrific APIs of OpenSSL, which means some ports > >> will not build against LibreSSL as is. Like python27. Fixes for > >> these problems can be picked from the OpenBSD ports tree, if we > >> want to. > >> > >> It's kind of hard to fix such problems if there is no clear policy > >> how things are supposed to work in the first place. > >> > > > > I'm and other are working on a policy about that: always enforce openss= l from > > ports with just a flag to say I want openssl or I want libressl but not= both, > > would apply to others libs that behave the same way but I have limited = time on > > this any one who wants to work on that is welcome :) >=20 > I think that we need to build up a team of people who are interested > in making that happen in FreeBSD. >=20 > I would be very interested to have a LibreSSL-powered FreeBSD server > for production use at work. >=20 The thing is when you start pulling the string on this then you have to han= dle all the other cases, because ports binaries will end up with some rpath to = make sure it finds in priority things from localbase, but then if it is also lin= ked to libarchive, ncurses, etc it will grab the localbase version as well (depending on the shlib version of those) so doing the job for one of the l= ib means doing it for all others. For now candidates are: libarchive ncurses readline (which will have then to be linked to ports ncurses and not base version through the magic of fake libtermcap) openssl libedit(?) for now I do have: http://people.freebsd.org/~bapt/nobase.mk http://people.freebsd.org/~bapt/ssl.mk which will make switch from USE_OPENSSL to USES=3Dssl nobase.mk is for ncurses basically USES=3Dncurses will die and ncurses will= just become a regular LIB_DEPENDS When it becomes fun is that now all ports will have to really respect LDFLA= GS... I already found a couple of bad boys in that area. btw that should also solve some issues with python and its ncurses module. Best regards, Bapt --gn1ylXQ+YRNuZICZ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlUmpU8ACgkQ8kTtMUmk6EzNkACaAvXMsX3ML6JpYbkJuk5e6Mn3 ossAoIQDLVa4+2jOiimj20VsJe1pz1hY =N2uo -----END PGP SIGNATURE----- --gn1ylXQ+YRNuZICZ--