From owner-freebsd-ports-bugs@FreeBSD.ORG Mon Mar 3 11:20:01 2014 Return-Path: Delivered-To: freebsd-ports-bugs@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A31A49EC for ; Mon, 3 Mar 2014 11:20:01 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 8D16DBA6 for ; Mon, 3 Mar 2014 11:20:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s23BK1sJ015341 for ; Mon, 3 Mar 2014 11:20:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s23BK1su015340; Mon, 3 Mar 2014 11:20:01 GMT (envelope-from gnats) Date: Mon, 3 Mar 2014 11:20:01 GMT Message-Id: <201403031120.s23BK1su015340@freefall.freebsd.org> To: freebsd-ports-bugs@FreeBSD.org Cc: From: Dewayne Geraghty Subject: Re: ports/187076: PREFIX!=/usr/local prevents package build for security/openssl, sysutils/monit X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: Dewayne Geraghty List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Mar 2014 11:20:01 -0000 The following reply was made to PR ports/187076; it has been noted by GNATS. From: Dewayne Geraghty To: Dirk Meyer , FreeBSD-gnats-submit@FreeBSD.org Cc: Subject: Re: ports/187076: PREFIX!=/usr/local prevents package build for security/openssl,sysutils/monit Date: Mon, 03 Mar 2014 22:06:26 +1100 On 3/03/2014 5:21 PM, Dirk Meyer wrote: > Hallo Dewayne Geraghty, > >> Though I have been building openssl from ports into the base system for >> since 2006. And that is where it resides today, in all the servers that >> we have deployed to customers, along with select packages like heimdal >> and openssh (into /usr). > OpenSSL in base has only been working in FreeBSD 4.x > >> [...] than I do ensuring that we have latest executables, libs. > Sadly this ist not the case. > > the base apps will still use the old base libs. > > $ ldd /usr/sbin/sshd | grep libcrypto > libcrypto.so.6 => /lib/libcrypto.so.6 (0x33e5a000) > > $ ldd /usr/sbin/wpa_supplicant > libssl.so.6 => /usr/lib/libssl.so.6 (0x33d05000) > libcrypto.so.6 => /lib/libcrypto.so.6 (0x33d51000) > >> I had considered building packages for a non /usr location but that >> wasn't really the right thing to do, so its a balancing act. The >> argument regarding libcrypt.so.6 and others is reasonable. > You are in luck that the config location is different. > /usr/ssl/openssl.conf > /usr/openssl/openssl.conf > > else your apps might not work at all. > > kind regards Dirk > > - Dirk Meyer, Im Grund 4, 34317 Habichtswald, Germany > > Thank-you Dirk, You're quite right. Though I avoid those problems by using a skeleton FreeBSD, where I don't build ssh, heimdal, hostapd, named, ntp during a system build but rely upon packages from ports. Some time ago, I used to not build openssl, however subsequent geom_eli versions pulled in some headers from the base openssl, requiring a simple work-around. More recently pkg_* and fetch need libssl or libcrypto ... but it is gssd that really upset the apple-cart (made things difficult). Yes many of the base applications use libcrypt.so.6 and less than 10 use libssl.so.6. Of the 487 ports that I use, the only port that require these libraries is pkg. The other ports build cleanly with libcrypto.so.8 &/or libssl.so.8. I'm probably fortunate that none link to both lib{ssl,crypto}.so.6 and .8, but for those that do, maybe they should be corrected? Thank-you for your thoughts, you've reminded me what a nuisance this was when I first took this path (of replacing base contributions with packaged elements). But there is some consolation that I regard an operating system only as useful as the applications that it reliably runs - the base elements of FreeBSD: Kernel, IO, network infrastructure, device and memory management provide an outstanding base platform but its the ports system that provides utility to businesses, and, with timely revisions provides for more than just a fun experience; a genuine business advantage. :) Unfortunately there is no luck involved, careful analysis and planning is required. And your choice of wpa_supplicant is a poignant example, as it is at revision 0.7.3 (on FreeBSD 9.2Stable) while the latest software is at revision 2.1 (http://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog). I would probably use a port if it was available, because TLS1.2 is attractive, though if the FreeBSD developers have left this software alone, its precautionary to examine why more closely. ;) Kind regards, Dewayne Australia.