From owner-freebsd-security@FreeBSD.ORG Mon Jun 1 16:25:04 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 11A8F546; Mon, 1 Jun 2015 16:25:04 +0000 (UTC) (envelope-from kpaasial@gmail.com) Received: from mail-la0-x232.google.com (mail-la0-x232.google.com [IPv6:2a00:1450:4010:c03::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8DD64117E; Mon, 1 Jun 2015 16:25:03 +0000 (UTC) (envelope-from kpaasial@gmail.com) Received: by labko7 with SMTP id ko7so102133328lab.2; Mon, 01 Jun 2015 09:25:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=DlFmibljXXDmNphfWX9VacM614Ug8hepqeTPoeGZQ6Q=; b=LHLz4qFHO8dIC53R76rUzeDBURYlWaGCswkUdqbH7mC8caiddvIdSyPt1aMGeGWlmD GPK0PQTjtuKEzy7ZCoN3Q0n9kVsHbOEgBwOaDmkGsFNOquf+LxC4OQPxHsuEh5uUBip+ klPiAIPftNWsesF+7IwXSWihDmmCJvwEnjEPtH53+VbRLwB971lq79MBcUvE44UdKChw xr7Aqt/qEjZbPAnFfDYgOPmzwo+UJPrXpR+IqR0jH+l88bTCMUGfoiYxhIBddjwR0sT6 BV7uKg8B2+/2zyhuc9I9bs4JAwtlVD/LOBXKQIBEJ/1Ch8SIxxR+79jli/EoI83LQ/Bg +YYQ== MIME-Version: 1.0 X-Received: by 10.152.116.113 with SMTP id jv17mr21859511lab.28.1433175901660; Mon, 01 Jun 2015 09:25:01 -0700 (PDT) Received: by 10.152.137.193 with HTTP; Mon, 1 Jun 2015 09:25:01 -0700 (PDT) In-Reply-To: References: <201506010138.t511cp2P088983@gw.catspoiler.org> Date: Mon, 1 Jun 2015 19:25:01 +0300 Message-ID: Subject: Re: avoiding base openssl when building ports From: Kimmo Paasiala To: Benjamin Kaduk Cc: Don Lewis , freebsd-security Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Jun 2015 16:25:04 -0000 On Mon, Jun 1, 2015 at 7:17 PM, Benjamin Kaduk wrote: > On Sun, 31 May 2015, Don Lewis wrote: > >> The big culprit turned out to be ftp/curl. Even though >> WITH_OPENSSL_PORT=yes caused it to add the openssl port as a build and >> run dependency, it was silently getting linked to openssl from base. The >> cause of that problem is that the default GSSAPI_BASE option adds >> -L/usr/lib near the start of LDFLAGS, so the linker finds the base >> openssl libraries instead of the ones from the port. I worked around >> that problem by switching to GSSAPI_NONE, though I tested that the other >> GSSAPI_* options also work correctly. There is a sanity check in the >> Makefile that attempts to catch this conflict, but it does not work >> correctly. See >> . > > My apologies for semi-hijacking your thread, but I am starting to wonder > whether the base Heimdal (and GSSAPI) should be converted to be a private > library. Since I am living in a MIT krb5 world, which is incompatible > with the Heimdal libraries, I end up having some trouble trying to force > various things to be used from base vs. ports. > > Making the Heimdal in base into private libraries would "solve" the > problem with ftp/curl, but only insamuch as it would make the GSSAPI_BASE > option useless and require a GSSAPI from ports. > > -Ben Rumour is that something like that is going to happen with all of the problematic libraries by making them private. If someone with inside knowledge could confirm these rumours? ;) This leads to another question. Where is the line going to be drawn which libraries in the base system should be private? There are certainly some of them that have to be public like libc and the support libraries like libusb. There is certainly no sense in making the ports system use full set of its own libraries for everything either. -Kimmo