Date: Sun, 15 Sep 2002 17:41:53 +0200 From: Roman Neuhauser <neuhauser@bellavista.cz> To: richard childers <fscked@pacbell.net> Cc: freebsd-questions@freebsd.org Subject: Re: Answers (& Questions) Re: OpenSSH 3.4p1 Upgrade Message-ID: <20020915154153.GE56092@freepuppy.bellavista.cz> In-Reply-To: <20020911133311.GX83171@freepuppy.bellavista.cz> References: <3D7EB40F.331798E0@pacbell.net> <20020911133311.GX83171@freepuppy.bellavista.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
# neuhauser@bellavista.cz / 2002-09-11 15:33:11 +0200: > # fscked@pacbell.net / 2002-09-10 20:10:07 -0700: > > ... > > > Next we upgrade OpenSSL. The current version is 0.9.6g and is available > > from both ftp.freebsd.org (../branches/-current/ports/security/openssl/) > > and from the source, at www.openbsd.org. > > > > FreeBSD purists will insist that one uses the port. I would have said > > the same until I tried it and found that while it compiled and installed > > flawlessly, I (again) wanted the new installation to overlay the old > > installation, neatly, and it was insistent on installing the new OpenSSL > > installation in /usr/local; leaving me with the task of (manually!!) > > hunting down and eliminating the bits and pieces of the old OpenSSL > > installation, in /usr. > > you could have just done > make install clean -DOPENSSL_OVERWRITE_BASE > but there's this prob with --openssldir; see below. ... > > # make PREFIX=/usr LOCALBASE=/usr > > # make PREFIX=/usr LOCALBASE=/usr install > > almost right (the specified LOCALBASE didn't bite you just > because openssl has no dependancies [other than those in the base], > and wasn't used) > > > This creates a pretty close installation to that received with FreeBSD > > 4.6 but it still creates a /usr/local/openssl directory and puts some > > libraries in there, if I recall correctly. > > actually, it'd create /usr/openssl, and this is a real bug imo. > OPENSSL_OVERWRITE_BASE should set --openssldir=/etc/ssl. > > but even with openssldir set to /usr/openssl this should just work > with the openssh port, but it doesn't look like it's actually the > case. > > if you build openssh with -DUSE_OPENSSL_BASE, it expects you to have > /etc/ssl, which will break if you installed the openssl port with > -DOPENSSL_OVERWRITE_BASE. > > if you build openssh without the switch, it basically assumes you > have /usr/local/openssl. bummer. :| ok, i submitted a patch to the openssl port that sets --openssldir=/etc/ssl if you have -DOPENSSL_OVERWRITE_BASE, and it just got committed. > > I would think that critical things that are so important that they are > > included in the operating system release (OpenSSL, OpenSSH) would be > > important enough elements of a security infrastructure, that upgrading > > them via the ports mechanism would result in a neatly overlaid new > > installation over the old one - not a mixture of new and old > > libraries, executables, and configuration files. > > this *should* be the case with the openssl port and the > -DOPENSSL_OVERWRITE_BASE switch, but openssh obviously can't be > installed in /usr without hacking the port Makefile, although it > doesn't look like it'd be too hard. i *might* take a look at this, too. no promises, though. -- begin 666 nonexistent.vbs FreeBSD 4.6-STABLE 5:37PM up 25 days, 23:29, 16 users, load averages: 0.26, 0.08, 0.02 end To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020915154153.GE56092>