Date: Mon, 3 Mar 2014 11:20:01 GMT From: Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au> To: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/187076: PREFIX!=/usr/local prevents package build for security/openssl, sysutils/monit Message-ID: <201403031120.s23BK1su015340@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/187076; it has been noted by GNATS. From: Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au> To: Dirk Meyer <dirk.meyer@dinoex.sub.org>, FreeBSD-gnats-submit@FreeBSD.org Cc: Subject: Re: ports/187076: PREFIX!=/usr/local prevents package build for security/openssl,sysutils/monit Date: Mon, 03 Mar 2014 22:06:26 +1100 On 3/03/2014 5:21 PM, Dirk Meyer wrote: > Hallo Dewayne Geraghty, > >> Though I have been building openssl from ports into the base system for >> since 2006. And that is where it resides today, in all the servers that >> we have deployed to customers, along with select packages like heimdal >> and openssh (into /usr). > OpenSSL in base has only been working in FreeBSD 4.x > >> [...] than I do ensuring that we have latest executables, libs. > Sadly this ist not the case. > > the base apps will still use the old base libs. > > $ ldd /usr/sbin/sshd | grep libcrypto > libcrypto.so.6 => /lib/libcrypto.so.6 (0x33e5a000) > > $ ldd /usr/sbin/wpa_supplicant > libssl.so.6 => /usr/lib/libssl.so.6 (0x33d05000) > libcrypto.so.6 => /lib/libcrypto.so.6 (0x33d51000) > >> I had considered building packages for a non /usr location but that >> wasn't really the right thing to do, so its a balancing act. The >> argument regarding libcrypt.so.6 and others is reasonable. > You are in luck that the config location is different. > /usr/ssl/openssl.conf > /usr/openssl/openssl.conf > > else your apps might not work at all. > > kind regards Dirk > > - Dirk Meyer, Im Grund 4, 34317 Habichtswald, Germany > > Thank-you Dirk, You're quite right. Though I avoid those problems by using a skeleton FreeBSD, where I don't build ssh, heimdal, hostapd, named, ntp during a system build but rely upon packages from ports. Some time ago, I used to not build openssl, however subsequent geom_eli versions pulled in some headers from the base openssl, requiring a simple work-around. More recently pkg_* and fetch need libssl or libcrypto ... but it is gssd that really upset the apple-cart (made things difficult). Yes many of the base applications use libcrypt.so.6 and less than 10 use libssl.so.6. Of the 487 ports that I use, the only port that require these libraries is pkg. The other ports build cleanly with libcrypto.so.8 &/or libssl.so.8. I'm probably fortunate that none link to both lib{ssl,crypto}.so.6 and .8, but for those that do, maybe they should be corrected? Thank-you for your thoughts, you've reminded me what a nuisance this was when I first took this path (of replacing base contributions with packaged elements). But there is some consolation that I regard an operating system only as useful as the applications that it reliably runs - the base elements of FreeBSD: Kernel, IO, network infrastructure, device and memory management provide an outstanding base platform but its the ports system that provides utility to businesses, and, with timely revisions provides for more than just a fun experience; a genuine business advantage. :) Unfortunately there is no luck involved, careful analysis and planning is required. And your choice of wpa_supplicant is a poignant example, as it is at revision 0.7.3 (on FreeBSD 9.2Stable) while the latest software is at revision 2.1 (http://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog). I would probably use a port if it was available, because TLS1.2 is attractive, though if the FreeBSD developers have left this software alone, its precautionary to examine why more closely. ;) Kind regards, Dewayne Australia.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201403031120.s23BK1su015340>