Date: Thu, 9 Apr 2015 16:00:45 +0000 From: Loganaden Velvindron <loganaden@gmail.com> To: Baptiste Daroussin <bapt@freebsd.org> Cc: Christian Weisgerber <naddy@mips.inka.de>, FreeBSD ports <freebsd-ports@freebsd.org>, Bryan Drewery <bdrewery@freebsd.org> Subject: Re: LibreSSL infects ports, causes problems Message-ID: <CAOp4FwS6%2BwkO1OPom5W6u6RHPNQaLXiyF-tR20Sq4=dyMV%2BcXw@mail.gmail.com> In-Reply-To: <20150409155649.GT95321@ivaldir.etoilebsd.net> References: <slrnmib1ur.2jau.naddy@lorvorc.mips.inka.de> <5525E609.70402@FreeBSD.org> <20150409115942.GA81282@lorvorc.mips.inka.de> <20150409130521.GQ95321@ivaldir.etoilebsd.net> <20150409155345.GA87497@lorvorc.mips.inka.de> <20150409155649.GT95321@ivaldir.etoilebsd.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Apr 9, 2015 at 3:56 PM, Baptiste Daroussin <bapt@freebsd.org> wrote: > On Thu, Apr 09, 2015 at 05:53:45PM +0200, Christian Weisgerber wrote: >> Baptiste Daroussin: >> >> > Some how you have mixed up things between base openssl and libressl, when >> > starting to activate libressl if you are using ports only you have to be extra >> > careful, (same goes with ncurses or ports openssl) just installing those ports >> > is enough to "pollute" nearly anything you build after with a dependency on it >> > (well anything that does link to libssl, libcrypto) >> >> Well, yes, that's what I said. It's a bug. >> >> > If it very complicated and >> > error prone to cherry pick "only take base openssl here, only ports openssl >> > there" the only "safe" way to solve this situation and being consistent is to >> > always skip the version from base and enforce the version for ports. (the >> > otherway around is impossible - very complicated) >> >> And the addition of LibreSSL as a not-quite-equivalent alternative >> to ports OpenSSL makes this even more complicated. You can expect >> things coming out of OpenBSD (like new versions of net/openntpd) >> to require LibreSSL, because it includes a new library libtls that >> doesn't exist in OpenSSL. In the meantime, LibreSSL has removed >> some of the more horrific APIs of OpenSSL, which means some ports >> will not build against LibreSSL as is. Like python27. Fixes for >> these problems can be picked from the OpenBSD ports tree, if we >> want to. >> >> It's kind of hard to fix such problems if there is no clear policy >> how things are supposed to work in the first place. >> > > I'm and other are working on a policy about that: always enforce openssl from > ports with just a flag to say I want openssl or I want libressl but not both, > would apply to others libs that behave the same way but I have limited time on > this any one who wants to work on that is welcome :) I think that we need to build up a team of people who are interested in making that happen in FreeBSD. I would be very interested to have a LibreSSL-powered FreeBSD server for production use at work. > > Best regards, > Bapt -- This message is strictly personal and the opinions expressed do not represent those of my employers, either past or present.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOp4FwS6%2BwkO1OPom5W6u6RHPNQaLXiyF-tR20Sq4=dyMV%2BcXw>