Date: Wed, 19 Apr 2023 12:50:59 -0400 From: Ed Maste <emaste@freebsd.org> To: freebsd-arch <freebsd-arch@freebsd.org> Subject: OpenSSL in the FreeBSD base system / FreeBSD 14 Message-ID: <CAPyFy2Afao5tnujFtwiF6avdkqAXRGDOTSq-JSCkHvvbfUvhaA@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
There have been a few discussions on this topic in different venues, but we should consolidate the discussion on a public mailing list. This email represents a summary of the issues and the current state; we=E2=80=99ll discuss next steps in follow-up mail. FreeBSD 14 is coming soon, and one outstanding task is dealing with OpenSSL in the base system. The base system currently has OpenSSL 1.1.1, and it will be EOL as of 2023-09-11. There are two related issues: - The base system needs to migrate from OpenSSL 1.1.1. - The ports collection currently makes use of OpenSSL provided by the base system by default, with some exceptions. Changing the base system OpenSSL into a privatelib would decouple these two, so that the base system and ports can migrate to OpenSSL 3 (or even to other implementations) on their own schedules. We have a number of privatelibs today, like libevent, that are used by the base system but not by ports. All OpenSSL-using ports will need security/openssl (or another openssl port). A related issue is base system libraries that depend on OpenSSL would also need to be made private. This includes gssapi, heimdal, and libfetch. This leaves the actual task of updating OpenSSL in the base system, which is complicated because we use bespoke build infrastructure in crypto/openssl/ rather than the upstream build bits. For better or worse this is the typical case for all of our contrib software, but OpenSSL is particularly tricky as it makes use of a large number of generated files, and those files are generated using Perl and perhaps other tools that are not available in the FreeBSD base system. Porting this to the base system is not insurmountable, but requires a fairly large amount of tedious work. This should serve as a snapshot of where we are today and a starting point for discussion; we=E2=80=99ll formulate a list of specific tasks in a follow-up.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPyFy2Afao5tnujFtwiF6avdkqAXRGDOTSq-JSCkHvvbfUvhaA>