From owner-freebsd-questions Wed Sep 11 6:33:35 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B91737B400 for ; Wed, 11 Sep 2002 06:33:30 -0700 (PDT) Received: from mail.thundernet.cz (mail.thundernet.cz [62.77.87.114]) by mx1.FreeBSD.org (Postfix) with SMTP id B3D6843E65 for ; Wed, 11 Sep 2002 06:33:28 -0700 (PDT) (envelope-from neuhauser@bellavista.cz) Received: (qmail 5617 invoked from network); 11 Sep 2002 13:33:19 -0000 Received: from unknown (HELO freepuppy.bellavista.cz) (62.168.44.50) by mail.thundernet.cz with SMTP; 11 Sep 2002 13:33:19 -0000 Received: by freepuppy.bellavista.cz (Postfix, from userid 1001) id B76ADB9; Wed, 11 Sep 2002 15:33:11 +0200 (CEST) Date: Wed, 11 Sep 2002 15:33:11 +0200 From: Roman Neuhauser To: richard childers Cc: freebsd-questions@freebsd.org Subject: Re: Answers (& Questions) Re: OpenSSH 3.4p1 Upgrade Message-ID: <20020911133311.GX83171@freepuppy.bellavista.cz> Mail-Followup-To: richard childers , freebsd-questions@freebsd.org References: <3D7EB40F.331798E0@pacbell.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3D7EB40F.331798E0@pacbell.net> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG # fscked@pacbell.net / 2002-09-10 20:10:07 -0700: ... > Next we upgrade OpenSSL. The current version is 0.9.6g and is available > from both ftp.freebsd.org (../branches/-current/ports/security/openssl/) > and from the source, at www.openbsd.org. > > FreeBSD purists will insist that one uses the port. I would have said > the same until I tried it and found that while it compiled and installed > flawlessly, I (again) wanted the new installation to overlay the old > installation, neatly, and it was insistent on installing the new OpenSSL > installation in /usr/local; leaving me with the task of (manually!!) > hunting down and eliminating the bits and pieces of the old OpenSSL > installation, in /usr. you could have just done make install clean -DOPENSSL_OVERWRITE_BASE but there's this prob with --openssldir; see below. > I found that make(1), invoked with '-n', was useful for determining > where things would go *before* they were installed; and so I used this > to study the less documented aspects of the OpenSSL port's building > process. Using this, I determined that it was possible to accomplish a > very close fit to the original OpenSSL installation, with the following > set of commands: > > # cd /usr/ports/security/openssl > # find . -type f -exec rm -f {} \; -print > # ftp ftp.freebsd.org > > - log in as ftp > > ftp> cd /pub/FreeBSD/branches/-current/ports/security/openssl > ftp> bin > ftp> bel > ftp> prompt > ftp> hash > ftp> mget * > ftp> quit > > # vi Makefile > > - find line where it says '#/usr/local#' and change it to '#/usr#' did you actually read the line? it said: replace all occurrences of "/usr/local" with the value of ${PREFIX} *in pkg-message*. what you did was thus completly benign, but also completely useless, as it has nothing to do with where stuff gets installed. net result was that instead of the message "Copy /usr/local/openssl/openssl.cnf.sample to /usr/local/openssl/openssl.cnf and edit it to fit your needs." you saw "Copy /usr/local/openssl/openssl.cnf.sample to /usr/local/openssl/openssl.cnf and edit it to fit your needs." what's the difference? there's none. you rewrote "/usr" with "/usr". > # make PREFIX=/usr LOCALBASE=/usr > # make PREFIX=/usr LOCALBASE=/usr install almost right (the specified LOCALBASE didn't bite you just because openssl has no dependancies [other than those in the base], and wasn't used) > This creates a pretty close installation to that received with FreeBSD > 4.6 but it still creates a /usr/local/openssl directory and puts some > libraries in there, if I recall correctly. actually, it'd create /usr/openssl, and this is a real bug imo. OPENSSL_OVERWRITE_BASE should set --openssldir=/etc/ssl. but even with openssldir set to /usr/openssl this should just work with the openssh port, but it doesn't look like it's actually the case. if you build openssh with -DUSE_OPENSSL_BASE, it expects you to have /etc/ssl, which will break if you installed the openssl port with -DOPENSSL_OVERWRITE_BASE. if you build openssh without the switch, it basically assumes you have /usr/local/openssl. bummer. :| > Now for two questions: [(1) snipped, i have no idea about that stuff] > (2) Why do FreeBSD ports put everything in /usr/local ? because that's the default for ${PREFIX} > I would think that critical things that are so important that they are > included in the operating system release (OpenSSL, OpenSSH) would be > important enough elements of a security infrastructure, that upgrading > them via the ports mechanism would result in a neatly overlaid new > installation over the old one - not a mixture of new and old > libraries, executables, and configuration files. this *should* be the case with the openssl port and the -DOPENSSL_OVERWRITE_BASE switch, but openssh obviously can't be installed in /usr without hacking the port Makefile, although it doesn't look like it'd be too hard. > In closing, I will note that I found the same problems with Linux RPMs, > then, that I find, now, with FreeBSD ports - the author of the RPM would > create RPMs that did not conform to the pattern used by the original > release of Linux, requiring much additional work recreating RPMs - and > note that it is a little disconcerting to encounter the same sort of > weaknesses in FreeBSD's ports. > > Perhaps it would be worth while to consider two ports - one > FreeBSD-centric, and the other, /usr/local-centric, as it were - > analogous to sunfreeware's model, where open source is compiled and > packaged for two audiences - those whom prefer their executables in /opt > .. and those whose tastes are somewhat more baroque. (-: two ports shouldn't be needed, a switch would suffice. if it was implemented. n.b.: richard, thanks for the detailed description, but note that emails this long are generally too long for people to bother reading them. the longer the description of your problem, the less replies. this is a pity especially as the description usually gets longer with increasing complexity of the described problem. however, try to squeeze it into fewer lines next time: for your own good. :) -- begin 666 nonexistent.vbs FreeBSD 4.6-STABLE 10:41AM up 21 days, 16:34, 12 users, load averages: 0.04, 0.11, 0.08 end To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message