From owner-freebsd-current@FreeBSD.ORG  Sat Sep 14 13:52:08 2013
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: current@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 8E34F97D;
 Sat, 14 Sep 2013 13:52:08 +0000 (UTC) (envelope-from ian@FreeBSD.org)
Received: from mho-01-ewr.mailhop.org (mho-03-ewr.mailhop.org [204.13.248.66])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 5EFCB2866;
 Sat, 14 Sep 2013 13:52:08 +0000 (UTC)
Received: from c-24-8-230-52.hsd1.co.comcast.net ([24.8.230.52]
 helo=damnhippie.dyndns.org)
 by mho-01-ewr.mailhop.org with esmtpsa (TLSv1:AES256-SHA:256)
 (Exim 4.72) (envelope-from <ian@FreeBSD.org>)
 id 1VKqGc-0003u7-T6; Sat, 14 Sep 2013 13:52:07 +0000
Received: from [172.22.42.240] (revolution.hippie.lan [172.22.42.240])
 by damnhippie.dyndns.org (8.14.3/8.14.3) with ESMTP id r8EDq3KG010684;
 Sat, 14 Sep 2013 07:52:03 -0600 (MDT) (envelope-from ian@FreeBSD.org)
X-Mail-Handler: Dyn Standard SMTP by Dyn
X-Originating-IP: 24.8.230.52
X-Report-Abuse-To: abuse@dyndns.com (see
 http://www.dyndns.com/services/sendlabs/outbound_abuse.html for abuse
 reporting information)
X-MHO-User: U2FsdGVkX1/fnKWfxFtLI6qzAUpugaBt
Subject: Re: HEADS UP: OpenSSH with DNSSEC support in 10
From: Ian Lepore <ian@FreeBSD.org>
To: Dag-Erling =?ISO-8859-1?Q?Sm=F8rgrav?= <des@des.no>
In-Reply-To: <86hadre740.fsf@nine.des.no>
References: <86hadre740.fsf@nine.des.no>
Content-Type: multipart/mixed; boundary="=-Od+6iFyHx+lFNMSnnmWx"
Date: Sat, 14 Sep 2013 07:52:02 -0600
Message-ID: <1379166722.1197.3.camel@revolution.hippie.lan>
Mime-Version: 1.0
X-Mailer: Evolution 2.32.1 FreeBSD GNOME Team Port 
Cc: freebsd-security@FreeBSD.org, current@FreeBSD.org
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Sep 2013 13:52:08 -0000


--=-Od+6iFyHx+lFNMSnnmWx
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by damnhippie.dyndns.org id r8EDq3KG010684

On Wed, 2013-09-11 at 17:00 +0200, Dag-Erling Sm=F8rgrav wrote:
> OpenSSH in FreeBSD 10 is now built with DNSSEC support, unless you
> disable LDNS in src.conf.  If DNSSEC is enabled, the default setting fo=
r
> VerifyHostKeyDNS is "yes".  This means that OpenSSH will silently trust
> DNSSEC-signed SSHFP records.  I consider this a lesser evil than "ask"
> (aka "train the user to type 'yes' and hit enter") and "no" (aka "train
> the user to type 'yes' and hit enter without even the benefit of a
> second opinion").
>=20
> DES

I just ran into a build error related to this:

--- libssh.so.5 ---
building shared library libssh.so.5
/local/build/staging/freebsd/wand/obj/arm.armv6/local/build/staging/freeb=
sd/wand/src/tmp/usr/bin/ld: cannot find -lldns
cc: error: linker command failed with exit code 1 (use -v to see invocati=
on)
*** [libssh.so.5] Error code 1

It only happens in one of my many build sandboxes, so I suspect it's
related to the WITH/WITHOUT options in effect and perhaps also to the
timing of parallel-build stuff.  In the sandbox where it fails I have
WITHOUT_KERBEROS and WITHOUT_PROFILE so I think that changes the timing
of getting to the libssh build.

I find that the attached patch fixes it for me.

-- Ian


--=-Od+6iFyHx+lFNMSnnmWx
Content-Disposition: inline; filename="libssh_build.diff"
Content-Type: text/x-patch; name="libssh_build.diff"; charset="us-ascii"
Content-Transfer-Encoding: 7bit

--- Makefile.inc1	Fri Sep 13 21:38:02 2013 -0600
+++ Makefile.inc1	Sat Sep 14 06:47:36 2013 -0600
@@ -1468,7 +1468,7 @@ lib/libcxxrt__L: gnu/lib/libgcc__L
 		lib/libradius lib/libsbuf lib/libtacplus \
 		${_cddl_lib_libumem} ${_cddl_lib_libnvpair} \
 		${_cddl_lib_libzfs_core} \
-		lib/libutil ${_lib_libypclnt} lib/libz lib/msun \
+		lib/libutil ${_lib_libypclnt} lib/libldns lib/libz lib/msun \
 		${_secure_lib_libcrypto} ${_secure_lib_libssh} \
 		${_secure_lib_libssl}
 
@@ -1505,10 +1505,11 @@ cddl/lib/libzfs_core__L: cddl/lib/libnvp
 .if ${MK_OPENSSL} != "no"
 _secure_lib_libcrypto= secure/lib/libcrypto
 _secure_lib_libssl= secure/lib/libssl
-lib/libradius__L secure/lib/libssl__L: secure/lib/libcrypto__L
+lib/libldns__L lib/libradius__L secure/lib/libssl__L: secure/lib/libcrypto__L
 .if ${MK_OPENSSH} != "no"
 _secure_lib_libssh= secure/lib/libssh
-secure/lib/libssh__L: lib/libz__L secure/lib/libcrypto__L lib/libcrypt__L
+secure/lib/libssh__L: lib/libz__L secure/lib/libcrypto__L lib/libcrypt__L \
+    lib/libldns__L
 .if ${MK_KERBEROS_SUPPORT} != "no"
 secure/lib/libssh__L: lib/libgssapi__L kerberos5/lib/libkrb5__L \
     kerberos5/lib/libhx509__L kerberos5/lib/libasn1__L lib/libcom_err__L \

--=-Od+6iFyHx+lFNMSnnmWx--