Date: Mon, 24 Mar 2003 07:50:56 -0800 (PST) From: Nathan Gardner <nathan@inwa.net> To: ports@freebsd.org Subject: /usr/ports/Mk/bsd.port.mk Message-ID: <Pine.LNX.4.53.0303240725110.20406@blueberry.inwa.net>
next in thread | raw e-mail | index | archive | help
I have had some difficulties getting things to work with the default
bsd.port.mk (at least under FreeBSD 4.7). The most notable problems I
have had thus far are when I try to not use the distribution's
versions of SSL and PERL. The ports system does not appear to look for
newer versions of these programs under /usr/local where the ports
collection installs them. So if someone were to upgrade their system
from the ports collection (say there was a new version of OpenSSL
released, like there is every few months it seems) the ports
collection still tries to use the one in /usr and doesn't look at the
new by default.
While it is the responsibility of administrators to be aware of the
versions of their libraries, because the ports collection doesn't look
for new versions in the places that it installs them, there is a
chance of someone installing a new version of OpenSSL (for example)
when an exploit comes out, recompiling everything as directed, and
thinking everything is fixed, while in actuality their recompile
didn't make use of the new libraries, and they are still vulnerable.
I assume that you folks have a far better understanding of this than I
do, and that perhaps I am totally mistaken. Please advise.
I have modified my own bsd.port.mk so that it will use a new version
of OpenSSL if you install it. Perhaps you can improve on my methods,
but here is what the section I wrote, which has worked nicely for me
thus far. (Apache2, MySQL40, mod_php, courier-imap, and pine have all
been happy with it).
Starting around line 39932 of /usr/ports/Mk/bsd.port.mk
--BEGIN
.if defined(USE_OPENSSL)
.if ${OSVERSION} >= 400014
OPENSSLBASE= /usr/local
OPENSSLDIR= /usr/local/openssl
.else
.if exists(/usr/lib/libcrypto.so)
OPENSSLBASE= /usr
OPENSSLDIR= /etc/ssl
.else
.BEGIN:
@${ECHO_CMD} "This port requires the OpenSSL library, which is part of"
@${ECHO_CMD} "the FreeBSD crypto distribution but not installed on your"
@${ECHO_CMD} "machine. Please see the \"OpenSSL\" section in the handbook"
@${ECHO_CMD} "(at \"http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/openssl.html\", for instance)"
@${ECHO_CMD} "for instructions on how to obtain and install the FreeBSD"
@${ECHO_CMD} "OpenSSL distribution."
@${FALSE}
.endif
# OpenSSL in the base system may not include IDEA for patent licensing reasons.
.if defined(MAKE_IDEA) && !defined(OPENSSL_IDEA)
OPENSSL_IDEA= ${MAKE_IDEA}
.else
OPENSSL_IDEA?= NO
.endif
.if ${OPENSSL_IDEA} == "NO"
# XXX This is a hack to work around the fact that /etc/make.conf clobbers
# our CFLAGS. It might not be enough for all future ports.
.if defined(HAS_CONFIGURE)
CFLAGS+= -DNO_IDEA
.else
OPENSSL_CFLAGS+=-DNO_IDEA
.endif
MAKE_ARGS+= OPENSSL_CFLAGS="${OPENSSL_CFLAGS}"
.endif
#.endif
.else
LIB_DEPENDS+= crypto.2:${PORTSDIR}/security/openssl
OPENSSLBASE?= ${LOCALBASE}
OPENSSLDIR?= ${OPENSSLBASE}/openssl
.endif
OPENSSLLIB= ${OPENSSLBASE}/lib
OPENSSLINC= ${OPENSSLBASE}/include
MAKE_ENV+= OPENSSLLIB=${OPENSSLLIB}
OPENSSLINC=${OPENSSLINC} \
OPENSSLBASE=${OPENSSLBASE}
OPENSSLDIR=${OPENSSLDIR}
.endif
--END
I am not used to working with make, so I presume there should be a
more elegant way of handling this. I thought that it would be worth
passing along and seeing what you folks had to say about it.
Thank you,
Nathan
--
Nathan Gardner <nathan@InWa.net> : System Administrator & Technosattva
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.53.0303240725110.20406>