Date: Sun, 31 May 2015 17:21:49 -0700 (PDT) From: Don Lewis <truckman@FreeBSD.org> To: freebsd-security@FreeBSD.org Subject: avoiding base openssl when building ports Message-ID: <201506010138.t511cp2P088983@gw.catspoiler.org>
next in thread | raw e-mail | index | archive | help
After all the noise about base openssl vs. ports openssl on this list a couple of weeks ago, I bit the bullet and tossed WITH_OPENSSL_PORT=yes in poudriere.d/*-make.conf and kicked off a poudriere run. It chugged for quite a while and rebuilt lots of ports. After it was done, I ran pkg upgrade and was dismayed when I discovered that ldd told me that quite a few executables were linked to openssl in base. The big culprit turned out to be ftp/curl. Even though WITH_OPENSSL_PORT=yes caused it to add the openssl port as a build and run dependency, it was silently getting linked to openssl from base. The cause of that problem is that the default GSSAPI_BASE option adds -L/usr/lib near the start of LDFLAGS, so the linker finds the base openssl libraries instead of the ones from the port. I worked around that problem by switching to GSSAPI_NONE, though I tested that the other GSSAPI_* options also work correctly. There is a sanity check in the Makefile that attempts to catch this conflict, but it does not work correctly. See <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200555>. After another poudriere run, which rebuilt the curl package and everything that depended on it, things were looking much better. Of my ~1300 installed ports, I only found two other problematic ports: www/links1 <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200557>; and security/nmap <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200558>; The only remaining port that links to openssl in base is pkg, which I think is mandatory for chicken vs. egg reasons. I'm currently running with these updated ports and haven't run into any problems.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201506010138.t511cp2P088983>