Date: Wed, 6 Apr 2016 16:25:06 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-ports@freebsd.org Subject: Re: Committer needed for PR 208029 Message-ID: <57052A52.5020107@FreeBSD.org> In-Reply-To: <15968328-7756-4053-822B-0DDB5CB07D37@ohlste.in> References: <498CA3F8-15EF-45BD-880C-241F83CBE3DD@waschbuesch.de> <20160405185159.GK35640@home.opsec.eu> <20160405200835.GM35640@home.opsec.eu> <57042958.5010701@sorbs.net> <C96569DA-ADC5-4BE0-819A-7375C3F50D8E@waschbuesch.de> <20160406044431.GO35640@home.opsec.eu> <570517F1.5020305@ohlste.in> <20160406144727.GP35640@home.opsec.eu> <15968328-7756-4053-822B-0DDB5CB07D37@ohlste.in>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --2293DhIfFdfu4mxopUjppml9ECkOqqU9D Content-Type: multipart/mixed; boundary="stq9mBlstqOeTQP8PnPk9Q4u7cKmbkJ4q" From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-ports@freebsd.org Message-ID: <57052A52.5020107@FreeBSD.org> Subject: Re: Committer needed for PR 208029 References: <498CA3F8-15EF-45BD-880C-241F83CBE3DD@waschbuesch.de> <20160405185159.GK35640@home.opsec.eu> <20160405200835.GM35640@home.opsec.eu> <57042958.5010701@sorbs.net> <C96569DA-ADC5-4BE0-819A-7375C3F50D8E@waschbuesch.de> <20160406044431.GO35640@home.opsec.eu> <570517F1.5020305@ohlste.in> <20160406144727.GP35640@home.opsec.eu> <15968328-7756-4053-822B-0DDB5CB07D37@ohlste.in> In-Reply-To: <15968328-7756-4053-822B-0DDB5CB07D37@ohlste.in> --stq9mBlstqOeTQP8PnPk9Q4u7cKmbkJ4q Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2016/04/06 16:05, Jim Ohlstein wrote: > Hello, >=20 >> On Apr 6, 2016, at 10:47 AM, Kurt Jaeger <lists@opsec.eu> wrote: >> >> Hi! >> >>> This is much ado about nothing. The "WITH_OPENSSL_PORT" option is the= re=20 >>> for just this purpose and is used in many ports. >> >> In 9.x this is sometimes a problem, if port X builds in variant 1 >> and port Y depends/links on X, but builds in variant 2. So it's >> a temporary solution for 9.x and will be solved when 9.x is EOL'ed. >> >> I'm not sure how this is solved in 10.x/11.x, probably the base SSL >> is much more up2date. >> >>> Forcing users who want to use this port to use OpenSSL from ports for= =20 >>> ALL ports is overkill. >> >>> Think about official packages. Are ALL packages built against OpenSSL= =20 >>> from ports, or only those that need them? It's the latter, of course.= =20 >>> Are they incompatible in production? No. >> >> There are grey areas, and I guess it will be like that for 9.x. >=20 > Not only 9.x. 10.x has OpenSSL 1.0.1. Some ports require 1.0.2 which is= in ports. Openssl 1.1.0 is soon to be released but almost certainly won'= t be in 11. It's likely to always be an issue. It's up to each individual= maintainer to make certain his or her ports behave correctly if binaries= link to one another. For a port like this the proper solution is to use = the least intrusive option.=20 The ultimate solution is that the base copy of openssl will be made private to the base system, and that any port that needs openssl functionality will simply use the ports version of openssl. This is partly a consequence of packaging of base (coming for 11.0-RELEASE), but not entirely so. However, if you do build your own packages via poudriere or otherwise, then it is a good idea to set WITH_OPENSSL_PORT=3Dyes' globally. It make= it much easier to do useful security related things like /remove SSLv2 and SSLv3 support entirely/. Cheers, Matthew --stq9mBlstqOeTQP8PnPk9Q4u7cKmbkJ4q-- --2293DhIfFdfu4mxopUjppml9ECkOqqU9D Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQJ8BAEBCgBmBQJXBSpZXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnzX0P/0eTu6vPlHINX+YagLfAftsD c1sPmKYDviipDFyEO3LA/O7J2N1AZfVozVO6KkI67LPwt4HfYIVeQKnrFr63uJPb iXW71/9R5QBRopMhSj0txsnaX8JbIuXBxzMYC80HLB/MdNiWv5h89DcNBI/UuOg+ 9j71q2On+UFk0uri1WptVmp4tqhnljbE1lW8TfRHObWGS8GRejym70dlWIt1f5fJ n9ECGuyVAbwdABH7ZKz63HrCiIs8LBR0/VvVrJBh5Kue+fT1b6Gi70jtER17FtUs y6mo29FV2f7sjQUDg2Eu1xvnwK/Fteo9TGHTU0bHQJRkvwaOlpZq1PTMs/FG0q/6 AXJBtHymgcYV9+1qNDmlXfWbSXmuWjsw6JMtbmyYfsnt7hzp6Tcxq1HxOwxb/zPO qwn7SFuhxaaaDnxCPqjnr47rqmwfO4kdljX1agIJxadHY3W9KbYEQ+v6tUKGsytx NMHLwsNifzUx/Xs7WOhZkqhhVY7w8MbnfcuPEXezmVOpfFoHDjYzzHA8ZfhIPHpm t6VuXBE1O7OOwkL6rK5y7o8XAmlMVaI4Xt6QGX3tWe00aVreMF3LYvi6Yz4DLXre 4OcEYGQNrGSt3Pdy6gLli4a9pOkR56pU2q0m0xpS2oMQWX4wMoj2XNzTnDFiHUL6 6JlDOoEOROqFmgc3C/bg =hkA/ -----END PGP SIGNATURE----- --2293DhIfFdfu4mxopUjppml9ECkOqqU9D--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?57052A52.5020107>