From owner-freebsd-stable@freebsd.org Tue Jul 14 00:46:40 2015 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6B16B999D4B for ; Tue, 14 Jul 2015 00:46:40 +0000 (UTC) (envelope-from dewayne.geraghty@consciuminternational.com.au) Received: from hermes.heuristicsystems.com.au (hermes.heuristicsystems.com.au [203.41.22.115]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "hermes.heuristicsystems.com.au", Issuer "Heuristic Systems Type 4 Host CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id D41111449 for ; Tue, 14 Jul 2015 00:46:39 +0000 (UTC) (envelope-from dewayne.geraghty@consciuminternational.com.au) Received: from [10.0.5.3] (ewsw01.hs [10.0.5.3]) (authenticated bits=0) by hermes.heuristicsystems.com.au (8.14.6/8.13.6) with ESMTP id t6E0joZl086144 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=FAIL); Tue, 14 Jul 2015 10:45:55 +1000 (EST) (envelope-from dewayne.geraghty@consciuminternational.com.au) Subject: Re: WITHOUT_OPENSSL and make delete-old To: Matt Smith References: <20150713140352.GB1284@xtaz.uk> From: Dewayne Geraghty X-Enigmail-Draft-Status: N1110 Cc: FreeBSD Stable Mailing List Message-ID: <55A45BC1.7000004@consciuminternational.com.au> Date: Tue, 14 Jul 2015 10:45:53 +1000 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Thunderbird/38.0.1 MIME-Version: 1.0 In-Reply-To: <20150713140352.GB1284@xtaz.uk> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jul 2015 00:46:40 -0000 On 14/07/2015 12:03 AM, Matt Smith wrote: > Hi, I use the ports version of OpenSSL for everything and don't > require the base version. As a result I thought I would remove it by > adding WITHOUT_OPENSSL into /etc/src.conf and running make delete-old > in /usr/src. However this seems to only want to delete things related > to kerberos and gssapi, which is understandable as they depend on > OpenSSL. However it doesn't seem to touch any OpenSSL files at all. > Is this a bug or have I missed something? > > Matt, I've been down that road. And for a few years, I installed openssl port over openssl base. But things have changed a lot, geli uses openssl headers, libarchive (hence tar, cpio) and libarchive need openssl; and of course kerberos, openssh). Also, if you remove gssapi then you won't be build gssd (used for kernel/NFS gssapi). The way I "get around" this issue is to build a base system that uses base openssl to build the necessary "base" components, using WITHOUT_[KERBEROS,OPENSSH]. Using this base system, I build a couple of jails, which are used to build the ports. For these jails I remove any remnants of base openssl. Then I'm able to build everything and install onto the production servers only what they need. (Pay attention to where base openssl places libcom_err.*, it sometimes slips through. I have a PR for this; and a build script removes it). What you loose? The FreeBSD version of openssl is tweaked by very knowledgeable members (both Dag-Erling Smorgrav and John-Mark Gurney et al), so you may want to examine their changes. There is/was talk about making base openssl - "private" which I believe will accomplish the same result: base openssl for the base system, and port openssl for port building. I don't have details or timeline for these changes. Why did I bother? Historically - I installed heimdal 1.0.1 while base heimdal was at 0.6.3. And for my use case: no nfs, needed additional ciphers (at the time) and a slightly different attack surface; my build system works. :) I hope I've save you some time. Regards, Dewayne. -- For the talkers: “The superior man acts before he speaks, and afterwards speaks according to his action.” For everyone else: “Life is really simple, but we insist on making it complicated.”