Keith M Wesolowski wrote:
> On Fri, May 16, 2008 at 01:01:21PM +0100, Darren J Moffat wrote:
>
>> If the goal is to build external to OpenSolaris FOSS with its own build
>> tools then moving those things out of ON into somewhere like SFW is a
>> great goal - and this is why I want OpenSSL out of ON.
>
> I can't imagine a worse goal to have, other than obviously perverse
> ones like "make our software {less reliable, slower, harder to use}."
>
> What is the advantage to using build tools that are notoriously
> unreliable, often encode knowledge of the build server's
> configuration, and fail to use the contents of the proto area?
For the specific case of OpenSSL we are leaving runtime library
performance on the table because we are building with ON makefiles - and
we have evidence to show this.
The other reason we want to move OpenSSL to using its own build system
is to allow us to take advantage of the FIPS 140-2 evaluation of
OpenSSL. To do this we must build it in a very specific way and that
can not be done unless we use the OpenSSL supplied Makefiles.
> OpenSSL is the poster child for proper integration of
> externally-developed software into the OpenSolaris software universe.
As the person who put it into Solaris and one of the people responsible
for its evolution in Solaris I very very strongly disagree. I wish I
hadn't put it into ON the way it was done but we made that decision at
the time for reasons that are no longer valid. It causes us a very
significant amount of time to integrate new versions of OpenSSL and we
have needlessly created additional work by maintaining our own build
system for it that doesn't properly understand all the "perl encoded"
assembler optimisations.
Our plan of record is to move OpenSSL out of ON - it really doesn't need
to be there - and deliver it from SFW. We will still deliver 32 and 64
bit libraries and binaries, we will still deliver them in the same
packages. We will just be doing it from SFW instead of ON and in away
that means we aren't forked from the upstream source and we can keep up
to date with the upstream community easier.
The recent issue with OpenSSL and Debian *could* have happened in a
similar way on Solaris. The longer we keep OpenSSL in ON and not using
the OpenSSL build system the longer we take that risk. We already have
a waiver for cstyle and lint for OpenSSL so the risk isn't quite the
same but by not using their build system we have to take a significant
amount of engineer time to carefully look at every new source and object
file that upstream delivers or produces during configure/build and
convert that into the ON style.
--
Darren J Moffat
_______________________________________________
opensolaris-code mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/opensolaris-code
