Re: Switch sysutils/borgbackup/2.0 to openssl-3.0
On Mon, Sep 11, 2023 at 10:14:30PM +0100, Stuart Henderson wrote: > On 2023/09/11 22:12, Theo Buehler wrote: > > On Mon, Sep 11, 2023 at 08:49:13PM +0100, Stuart Henderson wrote: > > > On 2023/09/11 21:48, Theo Buehler wrote: > > > > On Mon, Sep 11, 2023 at 09:41:39PM +0200, Bjorn Ketelaars wrote: > > > > > Diff below switches sysutils/borgbackup/2.0 from OpenSSL-1.1 to > > > > > OpenSSL-3.0. Reason to switch is the EOL status of OpenSSL-1.1.1. > > > > > > > > If you land this, please also update the comments regarding bumps at the > > > > top of the openssl/1.1 and openssl/3.0 Makefiles. > > > > > > > > Has anyone ever tested borgbackup on BTI/IBT machines? > > > > > > > > > > Works fine with borgbackup/1.2, but I don't think that uses OCB. > > > > My understanding is that only 2.0 links against OpenSSL, so 1.2 should > > be fine anyway. > > > > The rason I'm asking is that I am still unclear to what extent OpenSSL > > and its consumers are affected by BTI. robert hit some things with node > > and thus switched it to 3.1 because of its native BTI/IBT support. > > > > For borgbackup/2.0 it is not entirely obvious what parts are routed > > through hashlib/LibreSSL and which parts are directly pulled in from > > the statically linked openssl. It might be worth running regress tests > > on a capable machine and if there are issues use 3.1 instead. > > Seems OK as long as the test suite is enough to exercise this. Thanks. 3.0 is fine with me then. Hard to be 100% sure here...
Re: Switch sysutils/borgbackup/2.0 to openssl-3.0
On 2023/09/11 22:12, Theo Buehler wrote: > On Mon, Sep 11, 2023 at 08:49:13PM +0100, Stuart Henderson wrote: > > On 2023/09/11 21:48, Theo Buehler wrote: > > > On Mon, Sep 11, 2023 at 09:41:39PM +0200, Bjorn Ketelaars wrote: > > > > Diff below switches sysutils/borgbackup/2.0 from OpenSSL-1.1 to > > > > OpenSSL-3.0. Reason to switch is the EOL status of OpenSSL-1.1.1. > > > > > > If you land this, please also update the comments regarding bumps at the > > > top of the openssl/1.1 and openssl/3.0 Makefiles. > > > > > > Has anyone ever tested borgbackup on BTI/IBT machines? > > > > > > > Works fine with borgbackup/1.2, but I don't think that uses OCB. > > My understanding is that only 2.0 links against OpenSSL, so 1.2 should > be fine anyway. > > The rason I'm asking is that I am still unclear to what extent OpenSSL > and its consumers are affected by BTI. robert hit some things with node > and thus switched it to 3.1 because of its native BTI/IBT support. > > For borgbackup/2.0 it is not entirely obvious what parts are routed > through hashlib/LibreSSL and which parts are directly pulled in from > the statically linked openssl. It might be worth running regress tests > on a capable machine and if there are issues use 3.1 instead. Seems OK as long as the test suite is enough to exercise this. ===> Regression tests for borgbackup-2.0.0b6p3 = test session starts == platform openbsd7 -- Python 3.10.12, pytest-7.1.3, pluggy-1.2.0 benchmark: 4.0.0 (defaults: timer=time.perf_counter disable_gc=False min_rounds=5 min_time=0.05 max_time=1.0 calibration_precision=10 warmup=False warmup_iterations=10) Tests enabled: root, symlinks, hardlinks, atime/mtime, modes Tests disabled: BSD flags, fuse2, fuse3 rootdir: /usr/obj/ports/borgbackup-2.0.0b6/borgbackup-2.0.0b6, configfile: setup.cfg plugins: xdist-3.3.1, benchmark-4.0.0 collected 1695 items build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/archive.py .. [ 0%] [ 2%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/benchmark.py [ 2%] [ 5%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/cache.py [ 5%] [ 10%] [ 10%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/checksums.py .. [ 10%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/chunker.py .. [ 10%] ... [ 10%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/chunker_pytest.py s [ 10%] sss..[ 11%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/chunker_slow.py . [ 12%] [ 12%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/compress.py . [ 12%] ... [ 14%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/crypto.py ... [ 15%] .[ 15%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/efficient_collection_queue.py . [ 15%] .. [ 15%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/file_integrity.py . [ 15%] .. [ 16%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/hashindex.py [ 17%] ... [ 19%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/hashindex_pytest.py s [ 19%] .s [ 19%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/helpers.py .. [ 19%] [ 24%] .. [ 27%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/item.py . [ 28%] [ 28%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/key.py .. [ 29%] [ 32%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/locking.py .. [ 32%] ... [ 33%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/logger.py [ 33%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/lrucache.py ..[ 33%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/nanorst.py ..
Re: Switch sysutils/borgbackup/2.0 to openssl-3.0
On Mon, Sep 11, 2023 at 08:49:13PM +0100, Stuart Henderson wrote: > On 2023/09/11 21:48, Theo Buehler wrote: > > On Mon, Sep 11, 2023 at 09:41:39PM +0200, Bjorn Ketelaars wrote: > > > Diff below switches sysutils/borgbackup/2.0 from OpenSSL-1.1 to > > > OpenSSL-3.0. Reason to switch is the EOL status of OpenSSL-1.1.1. > > > > If you land this, please also update the comments regarding bumps at the > > top of the openssl/1.1 and openssl/3.0 Makefiles. > > > > Has anyone ever tested borgbackup on BTI/IBT machines? > > > > Works fine with borgbackup/1.2, but I don't think that uses OCB. My understanding is that only 2.0 links against OpenSSL, so 1.2 should be fine anyway. The rason I'm asking is that I am still unclear to what extent OpenSSL and its consumers are affected by BTI. robert hit some things with node and thus switched it to 3.1 because of its native BTI/IBT support. For borgbackup/2.0 it is not entirely obvious what parts are routed through hashlib/LibreSSL and which parts are directly pulled in from the statically linked openssl. It might be worth running regress tests on a capable machine and if there are issues use 3.1 instead.
Re: Switch sysutils/borgbackup/2.0 to openssl-3.0
On 2023/09/11 21:48, Theo Buehler wrote: > On Mon, Sep 11, 2023 at 09:41:39PM +0200, Bjorn Ketelaars wrote: > > Diff below switches sysutils/borgbackup/2.0 from OpenSSL-1.1 to > > OpenSSL-3.0. Reason to switch is the EOL status of OpenSSL-1.1.1. > > If you land this, please also update the comments regarding bumps at the > top of the openssl/1.1 and openssl/3.0 Makefiles. > > Has anyone ever tested borgbackup on BTI/IBT machines? > Works fine with borgbackup/1.2, but I don't think that uses OCB.
Re: Switch sysutils/borgbackup/2.0 to openssl-3.0
On Mon, Sep 11, 2023 at 09:41:39PM +0200, Bjorn Ketelaars wrote: > Diff below switches sysutils/borgbackup/2.0 from OpenSSL-1.1 to > OpenSSL-3.0. Reason to switch is the EOL status of OpenSSL-1.1.1. If you land this, please also update the comments regarding bumps at the top of the openssl/1.1 and openssl/3.0 Makefiles. Has anyone ever tested borgbackup on BTI/IBT machines?
Switch sysutils/borgbackup/2.0 to openssl-3.0
Diff below switches sysutils/borgbackup/2.0 from OpenSSL-1.1 to
OpenSSL-3.0. Reason to switch is the EOL status of OpenSSL-1.1.1.
It should be noted that OpenSSL is used for EVP_aes_256_ocb, and is
linked statically to avoid conflicting with shared libcrypto from the
base OS pulled in via dependencies.
Passes all tests, and run tested on amd64.
Comments/OK?
Index: Makefile
===
RCS file: /cvs/ports/sysutils/borgbackup/2.0/Makefile,v
retrieving revision 1.14
diff -u -p -r1.14 Makefile
--- Makefile11 Sep 2023 17:59:47 - 1.14
+++ Makefile11 Sep 2023 19:34:04 -
@@ -4,11 +4,11 @@ USE_NOEXECONLY= Yes
.endif
MODPY_EGG_VERSION =2.0.0b6
-REVISION = 2
+REVISION = 3
# OpenSSL used for EVP_aes_256_ocb. It is linked statically to avoid
conflicting
# with shared libcrypto from the base OS pulled in via dependencies.
-BUILD_DEPENDS =security/openssl/1.1
+BUILD_DEPENDS =security/openssl/3.0
RUN_DEPENDS = security/py-argon2-cffi${MODPY_FLAVOR} \
sysutils/py-platformdirs${MODPY_FLAVOR}>=3.8.1
Index: patches/patch-setup_py
===
RCS file: patches/patch-setup_py
diff -N patches/patch-setup_py
--- /dev/null 1 Jan 1970 00:00:00 -
+++ patches/patch-setup_py 11 Sep 2023 19:34:04 -
@@ -0,0 +1,14 @@
+Index: setup.py
+--- setup.py.orig
setup.py
+@@ -161,8 +161,8 @@ if not on_rtd:
+ # Use openssl (not libressl) because we need AES-OCB via EVP api. Link
+ # it statically to avoid conflicting with shared libcrypto from the
base
+ # OS pulled in via dependencies.
+-crypto_ext_lib = {"include_dirs": ["/usr/local/include/eopenssl11"]}
+-crypto_extra_objects += ["/usr/local/lib/eopenssl11/libcrypto.a"]
++crypto_ext_lib = {"include_dirs": ["/usr/local/include/eopenssl30"]}
++crypto_extra_objects += ["/usr/local/lib/eopenssl30/libcrypto.a"]
+ else:
+ crypto_ext_lib = lib_ext_kwargs(pc, "BORG_OPENSSL_PREFIX", "crypto",
"libcrypto", ">=1.1.1")
+
