Re: Experiences with El Capitan

2015-11-09 Thread Ryan Schmidt 

On Nov 9, 2015, at 2:34 AM, Artur Szostak wrote:

> Let me ask another question: Is there a seamless way to add building and 
> mirroring services from 3rd parties for the pre-built binaries?

No. We want verified binaries built in a clean-room by known servers, not 
binaries built in unknown conditions by arbitrary contributors.


___
macports-users mailing list
macports-users@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/macports-users

Re: openssl vs. libressl

2015-11-09 Thread René J . V . Bertin 
On Monday November 09 2015 15:27:54 Ryan Schmidt wrote:

> > Interesting. I think it was FreeBSD that tried to do that (both API and 
> > ABI) and failed at both, and said rebuild stuff for one or the other. 
> > Apparently they were the ones who made the mistake, and it actually works 
> > if done right?
> 
> You are correct, it does not work.

This is what I predicted.

> 
> 
> $ curl https://www.macports.org/
> dyld: Library not loaded: /opt/local/lib/libssl.1.0.0.dylib
>   Referenced from: /opt/local/bin/curl
>   Reason: image not found
> Trace/BPT trap: 5

Now what if you do

%> ln -s libssl.35.dylib libssl.1.0.0.dylib ?

(assuming that libressl indeed installs libssl.35.dylib)

If that works, it can be handled with a very simple post-destroot addition in 
both ports .

R
___
macports-users mailing list
macports-users@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/macports-users

Re: openssl vs. libressl

2015-11-09 Thread Rainer Müller 
On 2015-11-09 22:40, René J.V. Bertin wrote:
> Now what if you do
> 
> %> ln -s libssl.35.dylib libssl.1.0.0.dylib ?
> 
> (assuming that libressl indeed installs libssl.35.dylib)
> 
> If that works, it can be handled with a very simple post-destroot addition in 
> both ports .

You should not do this. It might work for some binaries, but it is not
guaranteed to work in all cases.

See both the official statement and a blog post from a Gentoo developer
explaining the problem:

https://github.com/libressl-portable/portable#compatibility-with-openssl

https://blog.flameeyes.eu/2014/07/libressl-drop-in-and-abi-leakage

Rainer
___
macports-users mailing list
macports-users@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/macports-users

Re: openssl vs. libressl

2015-11-09 Thread René J . V . Bertin 
On Monday November 09 2015 15:05:26 Ryan Schmidt wrote:

> In r139229 Jeremy made libressl a drop-in replacement for openssl. If a 
> rebuild is needed to make things work, then this

Yes, but at least on Linux libressl installs libraries with different numbers 
(libssl.so.35 vs libssl.so.1.0.0). I haven't yet checked on OS X, but if this 
is the case there too then Jeremy's modification (using path: style 
dependencies) is not enough.

> What happens if you install a port like curl for example that depends on 
> openssl, and then force-deactivate openssl and install libressl instead? Does 
> curl still work for accessing secure sites or do you get an error?

I haven't tried that yet, I'll see if I have time for it tomorrow. Don't 
hesitate to beat me to it, though :)

R.
___
macports-users mailing list
macports-users@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/macports-users

Re: openssl vs. libressl

2015-11-09 Thread Ryan Schmidt 

On Nov 9, 2015, at 3:12 PM, Brandon Allbery wrote:
> On Mon, Nov 9, 2015 at 4:05 PM, Ryan Schmidt wrote:
>> In r139229 Jeremy made libressl a drop-in replacement for openssl.
> 
> Interesting. I think it was FreeBSD that tried to do that (both API and ABI) 
> and failed at both, and said rebuild stuff for one or the other. Apparently 
> they were the ones who made the mistake, and it actually works if done right?

You are correct, it does not work.


$ curl https://www.macports.org/
dyld: Library not loaded: /opt/local/lib/libssl.1.0.0.dylib
  Referenced from: /opt/local/bin/curl
  Reason: image not found
Trace/BPT trap: 5



___
macports-users mailing list
macports-users@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/macports-users

opendkim and Trac error

2015-11-09 Thread Terry Barnum 
Pixilla was kind enough to update both the amavisd-new and opendkim ports but I 
ran into a problem with unbound, a dependency of opendkim. I went to look at 
the opendkim port on trac to see if I could figure it out or open a ticket but 
I see "Trac Error" when attempting to view any port.

Here's the error when installing opendkim:

Error: org.macports.activate for port unbound returned: could not set owner for 
file "/opt/local/var/run/unbound/root.key": no such file or directory
Error: Failed to install unbound

Indeed, there is no root.key file in there, only an unbound.pid.
$ ls -l /opt/local/var/run/unbound
-rw-r--r--  1 unbound  unbound  0 Oct 30 12:08 unbound.pid

>From the main.log:
...
:debug:activate Executing proc-post-org.macports.activate-activate-0
:error:activate org.macports.activate for port unbound returned: could not set 
owner for file "/opt/local/var/run/unbound/root.key": no such file or directory
:debug:activate Error code: NONE
:debug:activate Backtrace: could not set owner for file 
"/opt/local/var/run/unbound/root.key": no such file or directory
while executing
"proc-post-org.macports.activate-activate-0 org.macports.activate"
("eval" body line 1)
invoked from within
"eval $post $targetname"
:info:activate Warning: targets not executed for unbound: org.macports.activate
:error:activate Failed to install unbound
:debug:activate could not read "/opt/local/var/run/unbound/unbound.pid": no 
such file or directory
while executing
"::file type $file"

-Terry
___
macports-users mailing list
macports-users@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/macports-users

Re: openssl vs. libressl

2015-11-09 Thread René J . V . Bertin 
On Monday November 09 2015 16:11:54 Jeremy Huddleston Sequoia wrote:

hi,

> > Now what if you do
> > 
> > %> ln -s libssl.35.dylib libssl.1.0.0.dylib ?
> > 
> > (assuming that libressl indeed installs libssl.35.dylib)
> > 
> > If that works, it can be handled with a very simple post-destroot addition 
> > in both ports .
> 
> Don't do that.  There's a 99% chance it won't work for you.

You know what happens when you say that kind of thing to a Dutch (former) 
scientist, eh? ;)
First quick tests (downloading a couple of release tarballs from github, with 
/opt/local/bin/curl) suggests that it works. Which doesn't really surprise me 
too much: both libraries are written in C. As long as dependent software sticks 
to public APIs (and those APIs are indeed compatible), the binary libraries 
should be compatible too, regardless of how different they are "behind the 
scenes".

R.
___
macports-users mailing list
macports-users@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/macports-users

Re: openssl vs. libressl

2015-11-09 Thread Brandon Allbery 
On Mon, Nov 9, 2015 at 8:31 PM, René J.V.  wrote:

> First quick tests (downloading a couple of release tarballs from github,
> with /opt/local/bin/curl) suggests that it works. Which doesn't really
> surprise me too much: both libraries are written in C. As long as dependent
> software sticks to public APIs (and those APIs are indeed compatible), the
> binary libraries should be compatible too, regardless of how different they
> are "behind the scenes".


And assuming said APIs do not expose internal details in
programmer-callable macros, have the caller allocate structures whose size
might change, etc. See the Gentoo dev link given previously. (The macros
one is a lovely example of how an API may be the same but the ABI quite
different. ncurses 6 has a lot of this going on vs. ncurses 5, because the
public curses API has quite a few things that are implemented as macros;
the ncurses 6 documentation specifically warns that the API is as close as
possible to that of ncurses 5, but the ABI quite incompatible.)

Very old versions of KDE also used macros this way, and they learned the
hard way about this API/ABI compatibility break.

-- 
brandon s allbery kf8nh   sine nomine associates
allber...@gmail.com  ballb...@sinenomine.net
unix, openafs, kerberos, infrastructure, xmonadhttp://sinenomine.net
___
macports-users mailing list
macports-users@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/macports-users

Re: Experiences with El Capitan

2015-11-09 Thread Arno Hautala 
I've been using this [1] procedure for quite a while.

It could easily be adapted for widespread use by hosting the binaries
and signatures somewhere publicly.

And I'm not sure of the specifics, but I know there are build scripts
in the repo somewhere for building all ports. A previous message [2]
indicates they're here [3], But it looks like trac is still having
issues.

The real issue is trust. You have to trust the builder not to insert
malware and the hoster to have secured the server against file
manipulation. So I can see this easily being adapted for small groups,
but I'd personally suffer through building everything myself over
trusting an anonymous 3rd party.

Apple has been very generous in their hosting and support previously,
but I'd still love to see build slaves and hosting that wasn't reliant
on them to manage. MacPorts can't possibly be a priority for their
interests.

[1]: https://trac.macports.org/wiki/howto/ShareArchives2
[2]: https://lists.macosforge.org/pipermail/macports-dev/2015-August/031253.html
[3]: https://trac.macports.org/browser/contrib/buildbot


On Mon, Nov 9, 2015 at 3:34 AM, Artur Szostak  wrote:
> Hi,
>
> Let me ask another question: Is there a seamless way to add building and 
> mirroring services from 3rd parties for the pre-built binaries?
>
> Kind regards.
>
> Artur
>
> 
> From: macports-users-boun...@lists.macosforge.org 
> [macports-users-boun...@lists.macosforge.org] on behalf of Daniel J. Luke 
> [dl...@geeklair.net]
> Sent: 06 November 2015 16:08
> To: Rainer Müller
> Cc: macports-users
> Subject: Re: Experiences with El Capitan
>
> On Nov 5, 2015, at 3:35 PM, Rainer Müller  wrote:
>> This is mainly due to the absence of an actual admin at Mac OS Forge,
>> our hosting provider at Apple.
>
> Do we know if there's a position posted? It would be great if someone from 
> the Macports community held that position.
>
> --
> Daniel J. Luke
> ++
> | * dl...@geeklair.net * |
> | *-- http://www.geeklair.net -* |
> ++
> |   Opinions expressed are mine and do not necessarily   |
> |  reflect the opinions of my employer.  |
> ++
>
>
>
>
>
> ___
> macports-users mailing list
> macports-users@lists.macosforge.org
> https://lists.macosforge.org/mailman/listinfo/macports-users
> ___
> macports-users mailing list
> macports-users@lists.macosforge.org
> https://lists.macosforge.org/mailman/listinfo/macports-users



-- 
arno  s  hautala/-|   a...@alum.wpi.edu

pgp b2c9d448
___
macports-users mailing list
macports-users@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/macports-users

Re: openssl vs. libressl

2015-11-09 Thread Brandon Allbery 
On Mon, Nov 9, 2015 at 3:39 PM, René J.V.  wrote:

> I understand that libressl aims to be API-compatible with openssl so that
> it can act as a drop-in replacement. How far does that go, far enough that
> one can symlink the libssl and libcrypto runtimes from the one port to the
> shared libraries of the other, without having to rebuild dependents?


My understanding is that the API (i.e. source) compatibility is mostly
there but the A*B*I (binary) compatibility was a swing and a miss; assume
you have to rebuild stuff.

-- 
brandon s allbery kf8nh   sine nomine associates
allber...@gmail.com  ballb...@sinenomine.net
unix, openafs, kerberos, infrastructure, xmonadhttp://sinenomine.net
___
macports-users mailing list
macports-users@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/macports-users

openssl vs. libressl

2015-11-09 Thread René J . V . Bertin 
Hi,

I understand that libressl aims to be API-compatible with openssl so that it 
can act as a drop-in replacement. How far does that go, far enough that one can 
symlink the libssl and libcrypto runtimes from the one port to the shared 
libraries of the other, without having to rebuild dependents?

R.
___
macports-users mailing list
macports-users@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/macports-users

Re: openssl vs. libressl

2015-11-09 Thread Jeremy Huddleston Sequoia 

> On Nov 9, 2015, at 17:31, René J.V. Bertin  wrote:
> 
> On Monday November 09 2015 16:11:54 Jeremy Huddleston Sequoia wrote:
> 
> hi,
> 
>>> Now what if you do
>>> 
>>> %> ln -s libssl.35.dylib libssl.1.0.0.dylib ?
>>> 
>>> (assuming that libressl indeed installs libssl.35.dylib)
>>> 
>>> If that works, it can be handled with a very simple post-destroot addition 
>>> in both ports .
>> 
>> Don't do that.  There's a 99% chance it won't work for you.
> 
> You know what happens when you say that kind of thing to a Dutch (former) 
> scientist, eh? ;)
> First quick tests (downloading a couple of release tarballs from github, with 
> /opt/local/bin/curl) suggests that it works. Which doesn't really surprise me 
> too much: both libraries are written in C. As long as dependent software 
> sticks to public APIs (and those APIs are indeed compatible), the binary 
> libraries should be compatible too, regardless of how different they are 
> "behind the scenes".

The problem is that while the API is compatible, the ABI might not be.  
Portions of OpenSSL / Libressl are implemented using macros, so the macros 
might be different in ways that don't appear immediately obvious.
___
macports-users mailing list
macports-users@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/macports-users

Re: openssl vs. libressl

2015-11-09 Thread Ryan Schmidt 

On Nov 9, 2015, at 2:43 PM, Brandon Allbery wrote:
> On Mon, Nov 9, 2015 at 3:39 PM, René J.V. wrote:
>> I understand that libressl aims to be API-compatible with openssl so that it 
>> can act as a drop-in replacement. How far does that go, far enough that one 
>> can symlink the libssl and libcrypto runtimes from the one port to the 
>> shared libraries of the other, without having to rebuild dependents?
> 
> My understanding is that the API (i.e. source) compatibility is mostly there 
> but the A*B*I (binary) compatibility was a swing and a miss; assume you have 
> to rebuild stuff.

In r139229 Jeremy made libressl a drop-in replacement for openssl. If a rebuild 
is needed to make things work, then this was the wrong solution, and openssl 
and libressl variants should have been added to all the ports touched by 
r139229. That would obviously be a pain so let's verify whether that is really 
needed.

What happens if you install a port like curl for example that depends on 
openssl, and then force-deactivate openssl and install libressl instead? Does 
curl still work for accessing secure sites or do you get an error?

___
macports-users mailing list
macports-users@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/macports-users

Re: openssl vs. libressl

2015-11-09 Thread Brandon Allbery 
On Mon, Nov 9, 2015 at 4:05 PM, Ryan Schmidt 
wrote:

> In r139229 Jeremy made libressl a drop-in replacement for openssl.


Interesting. I think it was FreeBSD that tried to do that (both API and
ABI) and failed at both, and said rebuild stuff for one or the other.
Apparently they were the ones who made the mistake, and it actually works
if done right?

-- 
brandon s allbery kf8nh   sine nomine associates
allber...@gmail.com  ballb...@sinenomine.net
unix, openafs, kerberos, infrastructure, xmonadhttp://sinenomine.net
___
macports-users mailing list
macports-users@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/macports-users

RE: Experiences with El Capitan

2015-11-09 Thread Artur Szostak 
Hi,

Let me ask another question: Is there a seamless way to add building and 
mirroring services from 3rd parties for the pre-built binaries?

Kind regards.

Artur


From: macports-users-boun...@lists.macosforge.org 
[macports-users-boun...@lists.macosforge.org] on behalf of Daniel J. Luke 
[dl...@geeklair.net]
Sent: 06 November 2015 16:08
To: Rainer Müller
Cc: macports-users
Subject: Re: Experiences with El Capitan

On Nov 5, 2015, at 3:35 PM, Rainer Müller  wrote:
> This is mainly due to the absence of an actual admin at Mac OS Forge,
> our hosting provider at Apple.

Do we know if there's a position posted? It would be great if someone from the 
Macports community held that position.

--
Daniel J. Luke
++
| * dl...@geeklair.net * |
| *-- http://www.geeklair.net -* |
++
|   Opinions expressed are mine and do not necessarily   |
|  reflect the opinions of my employer.  |
++





___
macports-users mailing list
macports-users@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/macports-users
___
macports-users mailing list
macports-users@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/macports-users

Re: openssl vs. libressl

2015-11-09 Thread Jeremy Huddleston Sequoia 

> On Nov 9, 2015, at 13:40, René J.V. Bertin  wrote:
> 
> On Monday November 09 2015 15:27:54 Ryan Schmidt wrote:
> 
>>> Interesting. I think it was FreeBSD that tried to do that (both API and 
>>> ABI) and failed at both, and said rebuild stuff for one or the other. 
>>> Apparently they were the ones who made the mistake, and it actually works 
>>> if done right?
>> 
>> You are correct, it does not work.
> 
> This is what I predicted.
> 
>> 
>> 
>> $ curl https://www.macports.org/
>> dyld: Library not loaded: /opt/local/lib/libssl.1.0.0.dylib
>>  Referenced from: /opt/local/bin/curl
>>  Reason: image not found
>> Trace/BPT trap: 5
> 
> Now what if you do
> 
> %> ln -s libssl.35.dylib libssl.1.0.0.dylib ?
> 
> (assuming that libressl indeed installs libssl.35.dylib)
> 
> If that works, it can be handled with a very simple post-destroot addition in 
> both ports .

Don't do that.  There's a 99% chance it won't work for you.

--Jeremy
___
macports-users mailing list
macports-users@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/macports-users

Re: openssl vs. libressl

2015-11-09 Thread Jeremy Huddleston Sequoia 

> On Nov 9, 2015, at 13:10, René J.V. Bertin  wrote:
> 
> On Monday November 09 2015 15:05:26 Ryan Schmidt wrote:
> 
>> In r139229 Jeremy made libressl a drop-in replacement for openssl. If a 
>> rebuild is needed to make things work, then this
> 
> Yes, but at least on Linux libressl installs libraries with different numbers 
> (libssl.so.35 vs libssl.so.1.0.0). I haven't yet checked on OS X, but if this 
> is the case there too then Jeremy's modification (using path: style 
> dependencies) is not enough.

Yes, the dylib identifiers (and filenames) are different.

This is the same solution we've used elsewhere in MacPorts (eg: ffmpeg-devel).

>> What happens if you install a port like curl for example that depends on 
>> openssl, and then force-deactivate openssl and install libressl instead? 
>> Does curl still work for accessing secure sites or do you get an error?
> 
> I haven't tried that yet, I'll see if I have time for it tomorrow. Don't 
> hesitate to beat me to it, though :)

You'd need to revupgrade rebuild after switching.

--Jeremy
___
macports-users mailing list
macports-users@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/macports-users