From owner-freebsd-ports@FreeBSD.ORG Tue Jul 28 17:38:17 2009 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 591291065676 for ; Tue, 28 Jul 2009 17:38:17 +0000 (UTC) (envelope-from enlil65@gmail.com) Received: from mail-qy0-f191.google.com (mail-qy0-f191.google.com [209.85.221.191]) by mx1.freebsd.org (Postfix) with ESMTP id 128258FC1A for ; Tue, 28 Jul 2009 17:38:16 +0000 (UTC) (envelope-from enlil65@gmail.com) Received: by qyk29 with SMTP id 29so285587qyk.3 for ; Tue, 28 Jul 2009 10:38:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=dHgkr1jR9L19Ertl96qSbz/pD1P9BcVFQM3+7LRBsOc=; b=E0qUg8K+ZyQ1dSvrfCmjSnYOwyDB91unjZOlufukl7Qjp85b2AWuH+L3YIXvU+nQMV UY1u0UCkgqSbL5ZUKmmj/Qy9sCdZu5OBEjZxyAvhsOTQGQcDD05MegM9UveZdbisDwvE keGsz6mSv5SMngI84xZ5H/K2mPHQMAnEBGWnk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=JKwn0Fwa/TpdNUvnHqIN0ybbbp8yhQbtDwgkt4koVz8DSdkYGWnpUnOAWSUQjrZrtI 04b91oOLp5Ha59jb1DwLzW4Evuc/4PAeONylKTJmDTWnafraafBXuf+H6yIzdH+Ev3ZJ U52x2Evodb5Xplpr6bedTvbqcUvJfTNnebMAQ= MIME-Version: 1.0 Received: by 10.220.76.73 with SMTP id b9mr4953625vck.85.1248802696363; Tue, 28 Jul 2009 10:38:16 -0700 (PDT) In-Reply-To: References: Date: Tue, 28 Jul 2009 12:38:16 -0500 Message-ID: <1789c2360907281038y29f05e94h782ad90ca4337acd@mail.gmail.com> From: Peggy Wilkins To: freebsd-ports@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: Using WITH_OPENSSL_PORT X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jul 2009 17:38:17 -0000 On Sun, Jul 26, 2009 at 2:13 AM, b. f. wrote: >> As the PR advises, switching back to base openssl fixes my problem. > > Well, apparently only part of it. =A0Unfortunately the openssl framework > in ports doesn't accommodate mixing and matching of base and port > openssl, so while this may allow you to use pam_ldap, it's at the > expense of other ports. =A0You should probably follow-up on the PR, and > explain to the committer who closed it why a real solution to the > problem would be desirable. =A0Also, ask the krb5 maintainer if it would > be possible to relax the openssl requirements on his port. =A0Sometimes > these restrictions are relics of times when an earlier version of > openssl in base was causing problems, and they may no longer be > relevant. It turns out there are a number of open PR's for related issues. For insta= nce: ports/120101: security/krb5 utilities link against wrong libcom_err http://www.freebsd.org/cgi/query-pr.cgi?pr=3Dports/120101 ports/121573: security/krb5 (MIT Kerberos) generates non-working ksu http://www.freebsd.org/cgi/query-pr.cgi?pr=3Dports/121573 ports/128972: Port security/krb5 has a linking problem when compiled against base openssl http://www.freebsd.org/cgi/query-pr.cgi?pr=3Dports/128972 I get a working security/krb5 compiled against base openssl, if I preface all the client commands with LD_LIBRARY_PATH=3D/usr/local/lib. I'm not sure what a good resolution for all those PR's would be... how is this sort of conflict of shlibs normally resolved for ports? >> Since I am already using pam_ldap on this system in production, I >> don't see any easy way to get security/krb5 installed and working via >> ports on the same system since openssl requirements for these things >> conflict. =A0I think my easiest solution is to use a different system >> for security/krb5. > > At least in the short term, if you don't have the time to patch these > ports yourself, you may be right. =A0Another thing you may want to > consider: will the kerberos implementation already in the base system, > or another kerberos port, meet your needs, so that you can dispense > with the krb5 port? Another thing that occurred to me (I may have seen it online somewhere) is that if I replace the base kerberos with ports/krb5 compiled against the base openssl, my problem with multiple conflicting shared libraries would go away. It looks like I can build my system with WITHOUT_KERBEROS setting in /etc/src.conf, though I am still unsure how to remove the already-installed kerberos on my production system -- do I hunt down and delete the already-installed files, or is there an easier way to do that? BTW even though I've been running FreeBSD for over 6 years now, I hadn't heard of /etc/src.conf before this weekend. How do people find out about that? I'm surprised to have missed it before now. plw