Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 06 Apr 2016 19:35:08 +0200
From:      Michelle Sullivan <michelle@sorbs.net>
To:        Jim Ohlstein <jim@ohlste.in>, Mathieu Arnold <mat@FreeBSD.org>
Cc:        Kurt Jaeger <lists@opsec.eu>, =?UTF-8?Q?Martin_Waschb=c3=bcsch?= <martin@waschbuesch.de>, ports@freebsd.org
Subject:   Re: Committer needed for PR 208029
Message-ID:  <570548CC.6000709@sorbs.net>
In-Reply-To: <57054338.2000702@ohlste.in>
References:  <498CA3F8-15EF-45BD-880C-241F83CBE3DD@waschbuesch.de> <20160405185159.GK35640@home.opsec.eu> <20160405200835.GM35640@home.opsec.eu> <57042958.5010701@sorbs.net> <C96569DA-ADC5-4BE0-819A-7375C3F50D8E@waschbuesch.de> <20160406044431.GO35640@home.opsec.eu> <570517F1.5020305@ohlste.in> <C370FD7BEFFDA8136306B7AD@ogg.in.absolight.net> <261A33F8-4884-48B4-9152-4AD9CBC2CE3F@ohlste.in> <0DD478F6916BDE9C42FC4EAA@ogg.in.absolight.net> <57054338.2000702@ohlste.in>

next in thread | previous in thread | raw e-mail | index | archive | help
Jim Ohlstein wrote:
> Hello,
>
> On 4/6/16 12:39 PM, Mathieu Arnold wrote:
>> +--On 6 avril 2016 12:00:47 -0400 Jim Ohlstein <jim@ohlste.in> wrote:
>> | Hello,
>> |
>> |> On Apr 6, 2016, at 11:37 AM, Mathieu Arnold <mat@FreeBSD.org> wrote:
>> |>
>> |> +--On 6 avril 2016 10:06:41 -0400 Jim Ohlstein <jim@ohlste.in> wrote:
>> |> | Hello,
>> |> |
>> |> | On 4/6/16 12:44 AM, Kurt Jaeger wrote:
>> |> |> Hi!
>> |> |>
>> |> |>> Actually, I just noticed (when compiling the port), that the 
>> Makefile
>> |> |>> now says:
>> |> |>>
>> |> |>> WITH_OPENSSL_PORT=yes
>> |> |>
>> |> |> Yes, sorry, my fault. Fixed, and as suggested by mat: It is
>> |> |> now as IGNORE with a message explaining how to do it for 9.x.
>> |> |>
>> |> |
>> |> | This is much ado about nothing. The "WITH_OPENSSL_PORT" option 
>> is there
>> |> | for just this purpose and is used in many ports.
>> |>
>> |> No, the WITH_OPENSSL_PORT knob is a global one, and must not be 
>> used in
>> |> ports makefiles.  The fact is, there are ports using it, true, it 
>> does
>> |> not mean it is the right thing to do.
>> |>
>> |
>> | Then there are many ports being committed incorrectly, as well as, no
>> | doubt, many *official* packages.
>> |
>> | I really have no dog in this fight. I use it globally and build all 
>> of my
>> | own packages with poudriere, but either it shouldn't be there at 
>> all, or
>> | it should be ok to use. Having it available as an option to porters 
>> and
>> | then saying it shouldn't be used seems a bit silly.
>>
>> Well, it is not available for the porters as it is a global 
>> directive, they
>> use it anyway.
>>
>> Anyway, like I said, working on it.
>>
>
> Maybe an edit to portlint is in order. That way they might know. As of 
> now, portlint does not so much as emit a warning.
>
> I don't entirely disagree with the premise that all ports that require 
> OpenSSL should be built against the version in ports. As I said, I do 
> it and it also makes port maintenance simpler. However, as long as it 
> is actually an option, as it is now, then it should be availed when 
> desired.
I don't agree or disagree for what it's worth... What I do say though is 
where ever possible all ports should be compiled against one version.. 
of course GSSAPI support is a 'special case' in point that might have to 
break that rule of thumb.

>
> Further down the road (but not all that far) I foresee other, perhaps 
> bigger problems if using this strategy. OpenSSL 1.1.0 is in beta and 
> will be released within the next month or two. It is not completely 
> backward compatible. 

100% there...!

> At some point it will become the official ports version and/or two 
> versions will need to be maintained in ports, 1.0.2 (LTS until 2019) 
> and 1.1.x. This will create the problem of some/many ports not 
> building against 1.1.x and some ports or port options _requiring_ 
> 1.1.x. Assuming 1.1.x is the main OpenSSL in ports, there will be 
> ports that would build properly against OpenSSL in base (but cannot be 
> built that way if using the ports version is mandated), and do not 
> compile against OpenSSL 1.1.x. Most can no doubt be patched, but 
> waiting for upstream providers to do so may be problematic, and many 
> porters lack the skills.
>
Personally I'm surprised there is not more than one major version of 
openssl in the ports tree already.. perhaps there should be...

-- 
Michelle Sullivan
http://www.mhix.org/




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?570548CC.6000709>