Date: Thu, 09 Apr 2015 11:26:04 -0500 From: Bryan Drewery <bdrewery@FreeBSD.org> To: Baptiste Daroussin <bapt@freebsd.org>, Loganaden Velvindron <loganaden@gmail.com> Cc: Christian Weisgerber <naddy@mips.inka.de>, FreeBSD ports <freebsd-ports@freebsd.org> Subject: Re: LibreSSL infects ports, causes problems Message-ID: <5526A81C.1030309@FreeBSD.org> In-Reply-To: <20150409161407.GU95321@ivaldir.etoilebsd.net> References: <slrnmib1ur.2jau.naddy@lorvorc.mips.inka.de> <5525E609.70402@FreeBSD.org> <20150409115942.GA81282@lorvorc.mips.inka.de> <20150409130521.GQ95321@ivaldir.etoilebsd.net> <20150409155345.GA87497@lorvorc.mips.inka.de> <20150409155649.GT95321@ivaldir.etoilebsd.net> <CAOp4FwS6%2BwkO1OPom5W6u6RHPNQaLXiyF-tR20Sq4=dyMV%2BcXw@mail.gmail.com> <20150409161407.GU95321@ivaldir.etoilebsd.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --OCaxqRVcLk01sx8GqUQvpuJAidMRa6gEv Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 4/9/2015 11:14 AM, Baptiste Daroussin wrote: > On Thu, Apr 09, 2015 at 04:00:45PM +0000, Loganaden Velvindron wrote: >> On Thu, Apr 9, 2015 at 3:56 PM, Baptiste Daroussin <bapt@freebsd.org> = wrote: >>> On Thu, Apr 09, 2015 at 05:53:45PM +0200, Christian Weisgerber wrote:= >>>> Baptiste Daroussin: >>>> >>>>> Some how you have mixed up things between base openssl and libressl= , when >>>>> starting to activate libressl if you are using ports only you have = to be extra >>>>> careful, (same goes with ncurses or ports openssl) just installing = those ports >>>>> is enough to "pollute" nearly anything you build after with a depen= dency on it >>>>> (well anything that does link to libssl, libcrypto) >>>> >>>> Well, yes, that's what I said. It's a bug. >>>> >>>>> If it very complicated and >>>>> error prone to cherry pick "only take base openssl here, only ports= openssl >>>>> there" the only "safe" way to solve this situation and being consis= tent is to >>>>> always skip the version from base and enforce the version for ports= =2E (the >>>>> otherway around is impossible - very complicated) >>>> >>>> And the addition of LibreSSL as a not-quite-equivalent alternative >>>> to ports OpenSSL makes this even more complicated. You can expect >>>> things coming out of OpenBSD (like new versions of net/openntpd) >>>> to require LibreSSL, because it includes a new library libtls that >>>> doesn't exist in OpenSSL. In the meantime, LibreSSL has removed >>>> some of the more horrific APIs of OpenSSL, which means some ports >>>> will not build against LibreSSL as is. Like python27. Fixes for >>>> these problems can be picked from the OpenBSD ports tree, if we >>>> want to. >>>> >>>> It's kind of hard to fix such problems if there is no clear policy >>>> how things are supposed to work in the first place. >>>> >>> >>> I'm and other are working on a policy about that: always enforce open= ssl from >>> ports with just a flag to say I want openssl or I want libressl but n= ot both, >>> would apply to others libs that behave the same way but I have limite= d time on >>> this any one who wants to work on that is welcome :) >> >> I think that we need to build up a team of people who are interested >> in making that happen in FreeBSD. >> >> I would be very interested to have a LibreSSL-powered FreeBSD server >> for production use at work. >> > The thing is when you start pulling the string on this then you have to= handle > all the other cases, because ports binaries will end up with some rpath= to make > sure it finds in priority things from localbase, but then if it is also= linked > to libarchive, ncurses, etc it will grab the localbase version as well > (depending on the shlib version of those) so doing the job for one of t= he lib > means doing it for all others. >=20 > For now candidates are: > libarchive > ncurses > readline (which will have then to be linked to ports ncurses and not ba= se > version through the magic of fake libtermcap) > openssl > libedit(?) >=20 > for now I do have: > http://people.freebsd.org/~bapt/nobase.mk > http://people.freebsd.org/~bapt/ssl.mk >=20 > which will make switch from USE_OPENSSL to USES=3Dssl > nobase.mk is for ncurses basically USES=3Dncurses will die and ncurses = will just > become a regular LIB_DEPENDS >=20 > When it becomes fun is that now all ports will have to really respect L= DFLAGS... >=20 > I already found a couple of bad boys in that area. >=20 > btw that should also solve some issues with python and its ncurses modu= le. >=20 Peter has pointed out that OpenSSL has symbol versioning that we are not using. Enabling this in base may help the conflict issue here. Even if we force all ports to use ports OpenSSL we run into the problem you describe of loading in the base OpenSSL when linking some libraries. The versioning may avoid that. Of course that would only solve for 11.0/10.2/9.4 and not current releases. --=20 Regards, Bryan Drewery --OCaxqRVcLk01sx8GqUQvpuJAidMRa6gEv Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJVJqgcAAoJEDXXcbtuRpfPScQH/0814Fs/byaKvi95fSRaagZf fHgJbcP6xBugKLw6ZilKPKxTqg0KYT76Q4/xpd73d26/gMp3zdAVcS2XS3IpmGu/ MCxnin45uVX0tZ9C5D+lJtmtAnwEvkUFK/81BXkXJqYOcICvO6BV7zYf5dBJTi7X hIKQGx4IrsA+zXqyomZCLVY1i2lbyfgf87PtE8srnWbLV5Ymh4dLGPRVtUhsJHJ/ PKvz3ke2iAkH3njf8kbRqBCBuQM9A+AG9MYM332JDYSfvK0zdVtzfWr/VOe/FFK1 anWWK7FsCV4gnXIEui1V86IuqkYUYwrgZ9GB+fbaWjjs56exaXKczASybzuUEfc= =y5RO -----END PGP SIGNATURE----- --OCaxqRVcLk01sx8GqUQvpuJAidMRa6gEv--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5526A81C.1030309>