Re: what to do when base openssl isn't suitable

2016-07-03 Thread Gerard Seibert 
On Sun, 3 Jul 2016 18:27:45 +0200, Mathieu Arnold stated:

>+--On 1 juillet 2016 11:59:18 -0700 Don Lewis 
>wrote: | I've got a port that does not work with base openssl because
>it looks | for libssl.pc.  Other than that, I don't think it is picky
>about what | flavor of ports ssl is installed.  Because the default
>version of ssl | still defaults to base, I don't see a way to get this
>port to build on | the cluster, so there is no way to provide binary
>packages.  That's a | problem for end users because this port has
>bunch of huge build | dependencies.  Thoughts?
>
>Right now, you put int he port's Makefile (it always was wrong to do
>so, but so many are doing it...):
>
>USE_OPENSSL=yes
>WITH_OPENSSL_PORT=yes
>
>This summer, I'll change the default OpenSSL from base to
>security/openssl, and at that point, I will remove all the
>WITH_OPENSSL_PORT for a check with SSL_DEFAULT (that will get the port
>ignored if it the wrong SSL is used.) It needs some work WRT GSSAPI to
>make sure a sane default is choosen if building with ports openssl.
>
>And then, in the near future, I'll remove support for base openssl and
>gssapi in the ports tree, so that everything is always built with
>ports.

Sounds like a sane plan to me. I have always hated the duplication of
applications in ports and base. In almost all cases, the "base"
application is older than the port version. Updating it is more work,
and inevitable a conflict arises.

-- 
Jerry
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: what to do when base openssl isn't suitable

2016-07-03 Thread Mathieu Arnold 


+--On 1 juillet 2016 11:59:18 -0700 Don Lewis  wrote:
| I've got a port that does not work with base openssl because it looks
| for libssl.pc.  Other than that, I don't think it is picky about what
| flavor of ports ssl is installed.  Because the default version of ssl
| still defaults to base, I don't see a way to get this port to build on
| the cluster, so there is no way to provide binary packages.  That's a
| problem for end users because this port has bunch of huge build
| dependencies.  Thoughts?

Right now, you put int he port's Makefile (it always was wrong to do so,
but so many are doing it...):

USE_OPENSSL=yes
WITH_OPENSSL_PORT=yes

This summer, I'll change the default OpenSSL from base to security/openssl,
and at that point, I will remove all the WITH_OPENSSL_PORT for a check with
SSL_DEFAULT (that will get the port ignored if it the wrong SSL is used.)
It needs some work WRT GSSAPI to make sure a sane default is choosen if
building with ports openssl.

And then, in the near future, I'll remove support for base openssl and
gssapi in the ports tree, so that everything is always built with ports.

-- 
Mathieu Arnold

pgp6CSfdTo6mt.pgp
Description: PGP signature

Re: what to do when base openssl isn't suitable

2016-07-02 Thread abi 
I tried to build www/nginx today, however it seems ignoring 
DEFAULT_VERSIONS knob.

Old style knobs works.

On 02.07.2016 19:10, Don Lewis wrote:

On  2 Jul, Gerard Seibert wrote:

I have to admit that this whole discussion has gotten me confused. I
use "openssl" from ports, always have and probably always will. I use
to use the now apparently depreciate statement in the /etc/make.conf
file:

WITH_OPENSSL_PORT=YES

That's what I've been doing to build my own package set.


 From what I am reading, I would replace that line with the following
statement:

DEFAULT_VERSIONS+= ssl=openssl

I believe that is correct.


to force the use of the "ports" version of "openssl". Is that correct,
or is my interpretation of this incorrect?

Thanks


___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"


___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: what to do when base openssl isn't suitable

2016-07-02 Thread Don Lewis 
On  2 Jul, Shane Ambler wrote:
> On 02/07/2016 04:29, Don Lewis wrote:
>> I've got a port that does not work with base openssl because it looks
>> for libssl.pc.  Other than that, I don't think it is picky about what
>> flavor of ports ssl is installed.
> 
> If it is looking for libssl.pc then it is using pkg-config to get the
> CFLAGS/CXXFLAGS/LDFLAGS to use for openssl.
> 
> Search the Makefiles for  pkg-config openssl --cflags --libs or the
> variable substituted equivalent, then patch it to suit. If you want to
> use the system openssl then manually adding -lssl -lcrypto where it adds
> the result from pkg-config should work.

In this case, the configure script skips the call to pkg-config if
$libssl_CFLAGS is set.  I was able to get a successful build by passing
the proper environment variables to configure without the need for
patching it.  This is what I added to the ports Makefile:

.if ${SSL_DEFAULT} == base
. if ${OPSYS} == FreeBSD && ${OSVERSION} < 100
IGNORE= base OpenSSL in FreeBSD 9 is too old, specify a ports version of SSL by 
adding DEFAULT_VERSIONS+=ssl=... to /etc/make.conf and rebuild everything that 
needs SSL
. else
CONFIGURE_ENV+= libcrypto_CFLAGS="-I${OPENSSLINC}"  \
libcrypto_LIBS="-L${OPENSSLLIB} -lcrypto"   \
libssl_CFLAGS="-I${OPENSSLINC}" \
libssl_LIBS="-L${OPENSSLLIB} -lssl"
. endif
.endif

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: what to do when base openssl isn't suitable

2016-07-02 Thread Don Lewis 
On  2 Jul, Gerard Seibert wrote:
> I have to admit that this whole discussion has gotten me confused. I
> use "openssl" from ports, always have and probably always will. I use
> to use the now apparently depreciate statement in the /etc/make.conf
> file:
> 
> WITH_OPENSSL_PORT=YES

That's what I've been doing to build my own package set.

> From what I am reading, I would replace that line with the following
> statement:
> 
> DEFAULT_VERSIONS+= ssl=openssl

I believe that is correct.

> to force the use of the "ports" version of "openssl". Is that correct,
> or is my interpretation of this incorrect?
> 
> Thanks
> 

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: what to do when base openssl isn't suitable

2016-07-02 Thread Matthew Seaman 
On 02/07/2016 11:45, Gerard Seibert wrote:
> I have to admit that this whole discussion has gotten me confused. I
> use "openssl" from ports, always have and probably always will. I use
> to use the now apparently depreciate statement in the /etc/make.conf
> file:
> 
> WITH_OPENSSL_PORT=YES
> 
> From what I am reading, I would replace that line with the following
> statement:
> 
> DEFAULT_VERSIONS+= ssl=openssl
> 
> to force the use of the "ports" version of "openssl". Is that correct,
> or is my interpretation of this incorrect?

These would work for an individual user to customize things via their
/etc/make.conf file, and have the effect of causing all OpenSSL using
ports to link against the ports version of OpenSSL.

Except that neither of these constructs is valid for adding to a port's
own Makefile -- and indeed, as you say, WITH_OPENSSL_PORT is no longer
useable anywhere.

USES=ssl unfortunately does not offer any argument to allow the port
maintainer to limit what SSL library the user can select.  There are two
possible answers to this problem

  1) Test the value of eg. OPENSSL_PORT after USES=ssl has been
 processed and error out if the user has chosen something
 incompatible with this port.

  2) Make this port, and in fact all ports, compatible with as many as
 possible of the different variations on SSL libraries that the
 ports supports[*].

While (1) is superficially attractive, it basically means that your port
is going to fragile in the face of changes to whichever SSL library is
chosen: something that is likely to happen with different versions of
FreeBSD or based on revealed security problems with these libraries.
Not recommended.

Essentially, you will need to be able to do (2) -- compile successfully
against a number of different SSL library implementations.  This is
clearly much harder to do than (1), given that software consumers of SSL
libraries will all have their own ideas about how to configure and link
themselves, but on the whole there will be several groups of relatively
similar solutions, likely one of which will be relevant and fairly easy
to copy and adapt to the needs of a specific port.

A lot of this work has already been done, and documented -- largely as a
result of the desire to use LibreSSL as a generic replacement for
OpenSSL.  See Bernard Spil's wiki pages here:

   https://wiki.freebsd.org/OpenSSL/

There is a plan afoot to make all ported software only use SSL libraries
from the ports, and reserve the base OpenSSL library as private to base
system software.  This will make SSL support in ports substantially
easier, but it not here yet.

Cheers,

Matthew

[*] which is currently base-OpenSSL, ports-OpenSSL, LibreSSL and
maybe... a bunch of other contenders like GnuTLS, PolarSSL, WolfSSL.
You've a reasonable assurance of success with the first three, but the
rest are less commonly used, or have significant differences in their
APIs, and more importantly, haven't had the work put in to make them
generically portable[+].

[+] Also there's a question over whether these SSL libraries will be up
to standard with the latest security ideas, such as obsoleting SSLv2,
SSLv3 and TLSv1.0 in favour of TLSv1.1 or above.




signature.asc
Description: OpenPGP digital signature

Re: what to do when base openssl isn't suitable

2016-07-02 Thread Shane Ambler 

On 02/07/2016 04:29, Don Lewis wrote:

I've got a port that does not work with base openssl because it looks
for libssl.pc.  Other than that, I don't think it is picky about what
flavor of ports ssl is installed.


If it is looking for libssl.pc then it is using pkg-config to get the
CFLAGS/CXXFLAGS/LDFLAGS to use for openssl.

Search the Makefiles for  pkg-config openssl --cflags --libs or the
variable substituted equivalent, then patch it to suit. If you want to
use the system openssl then manually adding -lssl -lcrypto where it adds
the result from pkg-config should work.


--
FreeBSD - the place to B...Software Developing

Shane Ambler

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: what to do when base openssl isn't suitable

2016-07-02 Thread Gerard Seibert 
I have to admit that this whole discussion has gotten me confused. I
use "openssl" from ports, always have and probably always will. I use
to use the now apparently depreciate statement in the /etc/make.conf
file:

WITH_OPENSSL_PORT=YES

>From what I am reading, I would replace that line with the following
statement:

DEFAULT_VERSIONS+= ssl=openssl

to force the use of the "ports" version of "openssl". Is that correct,
or is my interpretation of this incorrect?

Thanks

-- 
Carmel


___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: what to do when base openssl isn't suitable

2016-07-01 Thread Don Lewis 
On  2 Jul, Jan Beich wrote:
> Don Lewis  writes:
> 
>> I've got a port that does not work with base openssl because it looks
>> for libssl.pc.  Other than that, I don't think it is picky about what
>> flavor of ports ssl is installed.  Because the default version of ssl
>> still defaults to base, I don't see a way to get this port to build on
>> the cluster, so there is no way to provide binary packages.  That's a
>> problem for end users because this port has bunch of huge build
>> dependencies.  Thoughts?
> 
> Have you tried putting a copy of libssl.pc under ${FILESDIR} and
> adjusting PKG_CONFIG_PATH or forcing configure to accept *FLAGS without?
> 
>   # from net-p2p/zetacoin/Makefile
>   CONFIGURE_ENV=  CRYPTO_CFLAGS="-I${OPENSSLINC}" 
> CRYPTO_LIBS="-L${OPENSSLLIB} -lcrypto" \
>   SSL_CFLAGS="-I${OPENSSLINC}" SSL_LIBS="-L${OPENSSLLIB} 
> -lssl"
> 
>   # from mail/mpop/Makefile
>   OPENSSL_CONFIGURE_ENV=${OPENSSLINC:M/usr/include:C,.+,libssl_CFLAGS=" ",} \
>   ${OPENSSLLIB:M/usr/lib:C,.+,libssl_LIBS="-lssl 
> -lcrypto",}

Option #2 works, except on FreeBSD 9, where the base version of OpenSSL
is too old.  I'm ok with setting IGNORE in that case.

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: what to do when base openssl isn't suitable

2016-07-01 Thread Chris H 
On Sat, 2 Jul 2016 01:16:36 +0200 Baptiste Daroussin  wrote

> On Fri, Jul 01, 2016 at 04:15:12PM -0700, Chris H wrote:
> > On Fri, 1 Jul 2016 14:41:34 -0700 (PDT) Don Lewis 
> > wrote 
> > > On  1 Jul, Miroslav Lachman wrote:
> > > > Don Lewis wrote on 07/01/2016 20:59:
> > > >> I've got a port that does not work with base openssl because it looks
> > > >> for libssl.pc.  Other than that, I don't think it is picky about what
> > > >> flavor of ports ssl is installed.  Because the default version of ssl
> > > >> still defaults to base, I don't see a way to get this port to build on
> > > >> the cluster, so there is no way to provide binary packages.  That's a
> > > >> problem for end users because this port has bunch of huge build
> > > >> dependencies.  Thoughts?
> > > > 
> > > > There are already packages depending on ports OpenSSL because they need
> > > > /usr/local/libdata/pkgconfig/libssl.pc (installed by openssl-1.0.2_14) 
> > > > so I think you can make port depending on ports openssl.
> > > > See nginx for example.
> > > > 
> > > > .if defined(NGINX_OPENSSL)
> > > > USE_OPENSSL= yes
> > > 
> > > USE_OPENSSL is now deprecated and has been replaced by USES=ssl
> > > 
> > > > .if ${OSVERSION} < 110
> > > > WITH_OPENSSL_PORT=yes
> > > 
> > > WITH_OPENSSL_PORT is now deprecated.  Even before that I don't think it
> > > was intended to be used in the port Makefile, only in /etc/make.conf.
> > > The suggested replacement is to put DEFAULT_VERSIONS+=ssl=openssl in
> > > /etc/make.conf.
> > 
> > Wouldn't something along the lines of
> > 
> > SSL_LIB_DEPENDS=libssl.pc:security/openssl
> > 
> libssl.pc? nothing will ever work with this line :)
Right, and I noticed what I had done the moment I hit
the send button. So was forced to send another reply
with the *intended* suggestion. :/

SSLLIB_DESC=OpenSSL support

SSL_LIB_DEPENDS=libssl.so:security/openssl
SSLLIB_CONFIGURE_WITH=  ssllib

or perhaps more simply

LIB_DEPENDS=libssl.so:security/openssl

in an appropriate location for an SSL option,
assuming it's even optional.


> 
> Best regards,
> Bapt

--Chris

--


___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: what to do when base openssl isn't suitable

2016-07-01 Thread Chris H 
On Fri, 01 Jul 2016 16:15:12 -0700 "Chris H"  wrote

> On Fri, 1 Jul 2016 14:41:34 -0700 (PDT) Don Lewis 
> wrote 
>
> > On  1 Jul, Miroslav Lachman wrote:
> > > Don Lewis wrote on 07/01/2016 20:59:
> > >> I've got a port that does not work with base openssl because it looks
> > >> for libssl.pc.  Other than that, I don't think it is picky about what
> > >> flavor of ports ssl is installed.  Because the default version of ssl
> > >> still defaults to base, I don't see a way to get this port to build on
> > >> the cluster, so there is no way to provide binary packages.  That's a
> > >> problem for end users because this port has bunch of huge build
> > >> dependencies.  Thoughts?
> > > 
> > > There are already packages depending on ports OpenSSL because they need 
> > > /usr/local/libdata/pkgconfig/libssl.pc (installed by openssl-1.0.2_14) 
> > > so I think you can make port depending on ports openssl.
> > > See nginx for example.
> > > 
> > > .if defined(NGINX_OPENSSL)
> > > USE_OPENSSL= yes
> > 
> > USE_OPENSSL is now deprecated and has been replaced by USES=ssl
> > 
> > > .if ${OSVERSION} < 110
> > > WITH_OPENSSL_PORT=yes
> > 
> > WITH_OPENSSL_PORT is now deprecated.  Even before that I don't think it
> > was intended to be used in the port Makefile, only in /etc/make.conf.
> > The suggested replacement is to put DEFAULT_VERSIONS+=ssl=openssl in
> > /etc/make.conf.
> 
> Wouldn't something along the lines of
> 
> SSL_LIB_DEPENDS=libssl.pc:security/openssl
> 
> get it for you?

Ahem... that *should* have read

SSL_LIB_DEPENDS=libssl.so:security/openssl

Sorry.
> 
> Just a thought, because you asked. ;-)
> 
> --Chris
> > 
> > 
> > 
> > > .endif
> > > .endif
> > 
> > 
> > ___
> > freebsd-ports@freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-ports
> > To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
> 
> 
> ___
> freebsd-ports@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ports
> To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"


___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: what to do when base openssl isn't suitable

2016-07-01 Thread Baptiste Daroussin 
On Fri, Jul 01, 2016 at 04:15:12PM -0700, Chris H wrote:
> On Fri, 1 Jul 2016 14:41:34 -0700 (PDT) Don Lewis  wrote
> 
> > On  1 Jul, Miroslav Lachman wrote:
> > > Don Lewis wrote on 07/01/2016 20:59:
> > >> I've got a port that does not work with base openssl because it looks
> > >> for libssl.pc.  Other than that, I don't think it is picky about what
> > >> flavor of ports ssl is installed.  Because the default version of ssl
> > >> still defaults to base, I don't see a way to get this port to build on
> > >> the cluster, so there is no way to provide binary packages.  That's a
> > >> problem for end users because this port has bunch of huge build
> > >> dependencies.  Thoughts?
> > > 
> > > There are already packages depending on ports OpenSSL because they need 
> > > /usr/local/libdata/pkgconfig/libssl.pc (installed by openssl-1.0.2_14) 
> > > so I think you can make port depending on ports openssl.
> > > See nginx for example.
> > > 
> > > .if defined(NGINX_OPENSSL)
> > > USE_OPENSSL= yes
> > 
> > USE_OPENSSL is now deprecated and has been replaced by USES=ssl
> > 
> > > .if ${OSVERSION} < 110
> > > WITH_OPENSSL_PORT=yes
> > 
> > WITH_OPENSSL_PORT is now deprecated.  Even before that I don't think it
> > was intended to be used in the port Makefile, only in /etc/make.conf.
> > The suggested replacement is to put DEFAULT_VERSIONS+=ssl=openssl in
> > /etc/make.conf.
> 
> Wouldn't something along the lines of
> 
> SSL_LIB_DEPENDS=  libssl.pc:security/openssl
> 
libssl.pc? nothing will ever work with this line :)

Best regards,
Bapt


signature.asc
Description: PGP signature

Re: what to do when base openssl isn't suitable

2016-07-01 Thread Chris H 
On Fri, 1 Jul 2016 14:41:34 -0700 (PDT) Don Lewis  wrote

> On  1 Jul, Miroslav Lachman wrote:
> > Don Lewis wrote on 07/01/2016 20:59:
> >> I've got a port that does not work with base openssl because it looks
> >> for libssl.pc.  Other than that, I don't think it is picky about what
> >> flavor of ports ssl is installed.  Because the default version of ssl
> >> still defaults to base, I don't see a way to get this port to build on
> >> the cluster, so there is no way to provide binary packages.  That's a
> >> problem for end users because this port has bunch of huge build
> >> dependencies.  Thoughts?
> > 
> > There are already packages depending on ports OpenSSL because they need 
> > /usr/local/libdata/pkgconfig/libssl.pc (installed by openssl-1.0.2_14) 
> > so I think you can make port depending on ports openssl.
> > See nginx for example.
> > 
> > .if defined(NGINX_OPENSSL)
> > USE_OPENSSL= yes
> 
> USE_OPENSSL is now deprecated and has been replaced by USES=ssl
> 
> > .if ${OSVERSION} < 110
> > WITH_OPENSSL_PORT=yes
> 
> WITH_OPENSSL_PORT is now deprecated.  Even before that I don't think it
> was intended to be used in the port Makefile, only in /etc/make.conf.
> The suggested replacement is to put DEFAULT_VERSIONS+=ssl=openssl in
> /etc/make.conf.

Wouldn't something along the lines of

SSL_LIB_DEPENDS=libssl.pc:security/openssl

get it for you?

Just a thought, because you asked. ;-)

--Chris
> 
> 
> 
> > .endif
> > .endif
> 
> 
> ___
> freebsd-ports@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ports
> To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"


___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: what to do when base openssl isn't suitable

2016-07-01 Thread Don Lewis 
On  1 Jul, Miroslav Lachman wrote:
> Don Lewis wrote on 07/01/2016 20:59:
>> I've got a port that does not work with base openssl because it looks
>> for libssl.pc.  Other than that, I don't think it is picky about what
>> flavor of ports ssl is installed.  Because the default version of ssl
>> still defaults to base, I don't see a way to get this port to build on
>> the cluster, so there is no way to provide binary packages.  That's a
>> problem for end users because this port has bunch of huge build
>> dependencies.  Thoughts?
> 
> There are already packages depending on ports OpenSSL because they need 
> /usr/local/libdata/pkgconfig/libssl.pc (installed by openssl-1.0.2_14) 
> so I think you can make port depending on ports openssl.
> See nginx for example.
> 
> .if defined(NGINX_OPENSSL)
> USE_OPENSSL= yes

USE_OPENSSL is now deprecated and has been replaced by USES=ssl

> .if ${OSVERSION} < 110
> WITH_OPENSSL_PORT=yes

WITH_OPENSSL_PORT is now deprecated.  Even before that I don't think it
was intended to be used in the port Makefile, only in /etc/make.conf.
The suggested replacement is to put DEFAULT_VERSIONS+=ssl=openssl in
/etc/make.conf.



> .endif
> .endif


___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"