Date: Sun, 19 Aug 2018 13:31:11 +0200 From: Bernard Spil <brnrd@freebsd.org> To: Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au> Cc: freebsd-ports@freebsd.org Subject: Re: Moving / renaming OpenSSL ports Message-ID: <f91f7c424d6df5edd7b75d44eaf73a21@freebsd.org> In-Reply-To: <c45197a1-24e1-e30b-9376-4d9f84c29141@heuristicsystems.com.au> References: <daf7fff908f227885c600753ebabd15b@freebsd.org> <c45197a1-24e1-e30b-9376-4d9f84c29141@heuristicsystems.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2018-08-19 0:25, Dewayne Geraghty wrote: > Bernard, > Given the silly way that the openssl crew have decided to name their > releases I think this is a good approach for the moment. I wonder how > they'll number an update to 1.1 :) (1.1A 1.2?) or what an update to > 1.1.1 - a rod for their own back, I think it a pity the TLS folks did > not use 2.0 rather than 1.3). > > I've used your wikis a great deal and have found your proactive > engagement a delight. > > Yes I still build all amd64 ports with libressl. I'm considering > migration to libressl-devel because I think this will remove some > security/libressl tweak complexity. ;) > > After reviewing your FOSDEM slides - > - yes there are ports that use base even when told not to, so for > libssl > | libcrtypo - I just remove them, though I do replace them with > symlinks. > - I hadn't seen this SSL_OP_SINGLE_DH_USE before. We regenerate DH on > a > daily basis in background, so for us its preferred. > - slide 17 - building without openssl creates deficient libarchive, > which is ok if you pull via curl and one of the archiver/ tar-like > files. Problematic for most users. > - thank-you for drawing my attention to this PRIVATELIB=true WOW! > Great! I'll also search ports for any use of USEPRIVATELIB so I can > remove the line ;) > - pkg is a problem. We rebuild required ports then remove all ports > (pkg delete -a), install (via tar) the key ones, then rebuild > everything. Convoluted but effective for our purposes > > Excellent presentation, summary of history and references. > > Kind regards, Dewayne > ps I use security/heimdal ports for all production servers, we build > 1200+ ports each month - it catches a lot of mismatches. The > recommendation to use MIT for anything is unfortunate - why provide the > US the opportunity for additional sanctions :) I've found heimdal to > be > ridiculously stable in production AND predictable. Hi Dewayne, Thanks for your response! Waiting for some more people to chime in before I pull any triggers. As for libressl-devel, there's no ABI changes sofar and I haven't really seen any benefits of using 2.8 over 2.7 sofar. Have you seen anything specific? Heimdal is one of the blockers for updating OpenSSL to 1.1 in base :D Cheers, Bernard.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f91f7c424d6df5edd7b75d44eaf73a21>