Date: Wed, 6 Feb 2019 17:53:20 -0500 From: Nick Rogers <ncrogers@gmail.com> To: Kevin Oberman <rkoberman@gmail.com> Cc: "ports@FreeBSD.org" <ports@freebsd.org> Subject: Re: Using LibreSSL with only one or a subset of all installed ports Message-ID: <CAKOb=YZKwJCon-pqqf9yUR6iWV2Csj9qmTZP_jDHyQTvtTPjVA@mail.gmail.com> In-Reply-To: <CAKOb=YZ7-KKTFg_gG8uO5g6zPUqP4RYeKENFe98iUBvdtuKwWQ@mail.gmail.com> References: <CAKOb=YbGuYBQ9kMPn%2Bw6V4GRGUSkZGwpyrctuN-u4r_k41uiTA@mail.gmail.com> <CAN6yY1t%2BPBgrb_-6ffonrWQGi7E7bKQe3r-QmUyVtQy3xSYqzg@mail.gmail.com> <CAKOb=YZ7-KKTFg_gG8uO5g6zPUqP4RYeKENFe98iUBvdtuKwWQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Feb 6, 2019 at 5:32 PM Nick Rogers <ncrogers@gmail.com> wrote:
>
>
> On Wed, Feb 6, 2019 at 1:59 PM Kevin Oberman <rkoberman@gmail.com> wrote:
>
>> On Wed, Feb 6, 2019 at 7:55 AM Nick Rogers <ncrogers@gmail.com> wrote:
>>
>>> I am wondering if it is wise or possible to use libressl for only a
>>> single
>>> installed port, while continuing to use OpenSSL from Base for all
>>> remaining
>>> installed ports. I would like to do this in order to get around the fact
>>> that lang/phantomjs does not compile against openssl 1.1.x due to API
>>> changes, and fixing it is less than trivial. However, I am not quite
>>> ready
>>> to switch other ports to LibreSSL.
>>>
>>> My thought was to use the following approach in make.conf when building
>>> via
>>> poudriere.
>>>
>>> .if ${.CURDIR:M*/lang/phantomjs}
>>> DEFAULT_VERSIONS+= ssl=libressl
>>> .endif
>>>
>>> I am hoping for some advice as to whether or not this will work, or if
>>> its
>>> a terrible idea, or if there is perhaps a better way to toggle libressl
>>> per-port. All the port documentation I can find suggests an outright
>>> switch
>>> to libressl for all ports, so I am concerned there is something I am
>>> missing that will not be happy?
>>>
>>
>> Along this path lies madness! Not that it can't work, but it is very
>> dangerous and likely to get more complicated over time.
>>
>> The problem is with having multiple sharable libraries (.so) of the same
>> name. The loader will refuse to load an executable if it attempts to load
>> two or more shareable libraries that have a common name as it is not
>> possible to determine which library to use for any reverence. If phantomjs
>> calls ssl routines directly and also is linked to a shareable that is
>> linked to either the openssl port installed shareable or the base system
>> shareable, the code will not load. As linkages grow more and more complex,
>> this tends to turn into a real rats nest.
>>
>> I'm not saying that it can't be done, but you have to know all of the
>> linkages and be very sure that there are no conflicts.
>>
>
> Thanks for the input. I currently exclusively use OpenSSL in base, so I
> was hoping there was something sane and similar to control using base vs.
> security/openssl, like the WITH_OPENSSL_PORT and WITH_OPENSSL_BASE knobs,
> only for libressl. It looks like security/openssl is still on 1.0, so I
> might be able to get phantomjs working with security/openssl and continue
> using base for other ports.
>
Now what I can't figure out is how to tell a specific port to use
security/openssl and have others use base. The handbook implies that this
is possible per-port with the WITH_OPENSSL_* knobs, but those have been
deprecated in favor of the global DEFAULT_VERSIONS+= ssl=openssl approach.
Anyone know how to correctly set ssl=openssl for a single port via
make.conf?
>
> --
>> Kevin Oberman, Part time kid herder and retired Network Engineer
>> E-mail: rkoberman@gmail.com
>> PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683
>>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAKOb=YZKwJCon-pqqf9yUR6iWV2Csj9qmTZP_jDHyQTvtTPjVA>