From owner-freebsd-security@FreeBSD.ORG Tue Jun 2 15:17:38 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 35B18ADB; Tue, 2 Jun 2015 15:17:38 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1542712EF; Tue, 2 Jun 2015 15:17:38 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id t52FHb64011968; Tue, 2 Jun 2015 15:17:37 GMT (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [172.31.3.2]) by mail.xzibition.com (Postfix) with ESMTP id 74D4586B1; Tue, 2 Jun 2015 15:17:37 +0000 (UTC) X-Virus-Scanned: amavisd-new at mail.xzibition.com Received: from mail.xzibition.com ([172.31.3.2]) by mail.xzibition.com (mail.xzibition.com [172.31.3.2]) (amavisd-new, port 10026) with LMTP id FP1WRmT8nE5t; Tue, 2 Jun 2015 15:17:37 +0000 (UTC) Message-ID: <556DC912.1060808@FreeBSD.org> DKIM-Filter: OpenDKIM Filter v2.9.2 mail.xzibition.com 85C1286AE Date: Tue, 02 Jun 2015 10:17:38 -0500 From: Bryan Drewery Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: Kimmo Paasiala , Benjamin Kaduk CC: freebsd-security , Don Lewis Subject: Re: avoiding base openssl when building ports References: <201506010138.t511cp2P088983@gw.catspoiler.org> In-Reply-To: OpenPGP: id=F9173CB2C3AAEA7A5C8A1F0935D771BB6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="A14iunkffbF9ccacKIouEgWGdcimtBGxT" X-Mailman-Approved-At: Tue, 02 Jun 2015 15:18:59 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Jun 2015 15:17:38 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --A14iunkffbF9ccacKIouEgWGdcimtBGxT Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 6/1/2015 11:25 AM, Kimmo Paasiala wrote: > On Mon, Jun 1, 2015 at 7:17 PM, Benjamin Kaduk wrote: >> On Sun, 31 May 2015, Don Lewis wrote: >> >>> The big culprit turned out to be ftp/curl. Even though >>> WITH_OPENSSL_PORT=3Dyes caused it to add the openssl port as a build = and >>> run dependency, it was silently getting linked to openssl from base. = The >>> cause of that problem is that the default GSSAPI_BASE option adds >>> -L/usr/lib near the start of LDFLAGS, so the linker finds the base >>> openssl libraries instead of the ones from the port. I worked around= >>> that problem by switching to GSSAPI_NONE, though I tested that the ot= her >>> GSSAPI_* options also work correctly. There is a sanity check in the= >>> Makefile that attempts to catch this conflict, but it does not work >>> correctly. See >>> . >> >> My apologies for semi-hijacking your thread, but I am starting to wond= er >> whether the base Heimdal (and GSSAPI) should be converted to be a priv= ate >> library. Since I am living in a MIT krb5 world, which is incompatible= >> with the Heimdal libraries, I end up having some trouble trying to for= ce >> various things to be used from base vs. ports. >> >> Making the Heimdal in base into private libraries would "solve" the >> problem with ftp/curl, but only insamuch as it would make the GSSAPI_B= ASE >> option useless and require a GSSAPI from ports. >> >> -Ben >=20 >=20 > Rumour is that something like that is going to happen with all of the > problematic libraries by making them private. If someone with inside > knowledge could confirm these rumours? ;) I don't know why you call this a rumor. It's an ongoing effort for over a year now. It's just been slow due to lack of consensus and other technical and social issues. It's not that we try to keep things secret here, it's just that we tend to discuss on IRC and then if the issue is big enough discuss it on arch@ or just use a phabricator review. If it is trivial and there is no concern of problems then it is just committed. It's simply not practical to discuss everything in email. Usually we get an itch to make a library private and discuss it quickly in a private message and then produce a patch. >=20 > This leads to another question. Where is the line going to be drawn > which libraries in the base system should be private? There are > certainly some of them that have to be public like libc and the > support libraries like libusb. There is certainly no sense in making > the ports system use full set of its own libraries for everything > either. Everything we do is wrong. Obviously we can't make libc private. In the current scheme only 3rd party libraries or libraries that are only needed for internal build tools or libraries which are constant security concerns are really eligible for becoming private libs. In a correct world everything in the base system would be a "package" in the same sense as ports has "packages". Libc too would be a "package". We would have 1 and only 1 OpenSSL "package" rather than a private one and port one. When this discussion comes up people tend to jump to the wrong conclusions. This is not suggesting making the base system only a kernel and "good luck go run pkg". It's just saying everything would be packaged and most likely due to POLA be the same installed files we provide today in the base world system. Our base system and ports system frameworks are severely lacking to make this all possible today though. We also have social hurdles. The way we're doing private libs now is flawed as is since it easily leaks these private libs into the public linker space. For example, if we made OpenSSL private in the base then libfetch would be providing OpenSSL private lib links when libfetch was linked in. This defeats the purpose of having OpenSSL as private and can cause collisions. Regards, Bryan Drewery --A14iunkffbF9ccacKIouEgWGdcimtBGxT Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJVbckSAAoJEDXXcbtuRpfP5BAH/jfnfsSaHFXR2MJTP0pgke4O GiOlcdq3ioyG9gVsf9fXZZaYn/7J9//r+hb/v6FlnWYsOIc4/ylGPAkENXuBVN7d 8nhKUai9OYGllGZ9umOPm44gLysFkBm1wGfpOY6FkeEx3yQNOQzmB9Jb4o7EdtZ7 pKxvcrVDQ32Osz7xufp8/lbYXrS8caWoLmbOfIdCnrLZHrxmUhYznpLQi2BIQ/pp 7HcvV5bxitE5I+HnBHCccSLHsPu8yw+JpwOd+brYCWoFuCgrCaDfpUY7wCPDHtj0 fJAcYSNC28X2O0uMbkYV2dPqxs0B/e2iebP5PGdgpuliXMXxmqDrbbHQFhgthpw= =0pY4 -----END PGP SIGNATURE----- --A14iunkffbF9ccacKIouEgWGdcimtBGxT--