Re: Switch sysutils/borgbackup/2.0 to openssl-3.0
On Mon, Sep 11, 2023 at 10:14:30PM +0100, Stuart Henderson wrote: > On 2023/09/11 22:12, Theo Buehler wrote: > > On Mon, Sep 11, 2023 at 08:49:13PM +0100, Stuart Henderson wrote: > > > On 2023/09/11 21:48, Theo Buehler wrote: > > > > On Mon, Sep 11, 2023 at 09:41:39PM +0200, Bjorn Ketelaars wrote: > > > > > Diff below switches sysutils/borgbackup/2.0 from OpenSSL-1.1 to > > > > > OpenSSL-3.0. Reason to switch is the EOL status of OpenSSL-1.1.1. > > > > > > > > If you land this, please also update the comments regarding bumps at the > > > > top of the openssl/1.1 and openssl/3.0 Makefiles. > > > > > > > > Has anyone ever tested borgbackup on BTI/IBT machines? > > > > > > > > > > Works fine with borgbackup/1.2, but I don't think that uses OCB. > > > > My understanding is that only 2.0 links against OpenSSL, so 1.2 should > > be fine anyway. > > > > The rason I'm asking is that I am still unclear to what extent OpenSSL > > and its consumers are affected by BTI. robert hit some things with node > > and thus switched it to 3.1 because of its native BTI/IBT support. > > > > For borgbackup/2.0 it is not entirely obvious what parts are routed > > through hashlib/LibreSSL and which parts are directly pulled in from > > the statically linked openssl. It might be worth running regress tests > > on a capable machine and if there are issues use 3.1 instead. > > Seems OK as long as the test suite is enough to exercise this. Thanks. 3.0 is fine with me then. Hard to be 100% sure here...
Re: Switch sysutils/borgbackup/2.0 to openssl-3.0
On 2023/09/11 22:12, Theo Buehler wrote: > On Mon, Sep 11, 2023 at 08:49:13PM +0100, Stuart Henderson wrote: > > On 2023/09/11 21:48, Theo Buehler wrote: > > > On Mon, Sep 11, 2023 at 09:41:39PM +0200, Bjorn Ketelaars wrote: > > > > Diff below switches sysutils/borgbackup/2.0 from OpenSSL-1.1 to > > > > OpenSSL-3.0. Reason to switch is the EOL status of OpenSSL-1.1.1. > > > > > > If you land this, please also update the comments regarding bumps at the > > > top of the openssl/1.1 and openssl/3.0 Makefiles. > > > > > > Has anyone ever tested borgbackup on BTI/IBT machines? > > > > > > > Works fine with borgbackup/1.2, but I don't think that uses OCB. > > My understanding is that only 2.0 links against OpenSSL, so 1.2 should > be fine anyway. > > The rason I'm asking is that I am still unclear to what extent OpenSSL > and its consumers are affected by BTI. robert hit some things with node > and thus switched it to 3.1 because of its native BTI/IBT support. > > For borgbackup/2.0 it is not entirely obvious what parts are routed > through hashlib/LibreSSL and which parts are directly pulled in from > the statically linked openssl. It might be worth running regress tests > on a capable machine and if there are issues use 3.1 instead. Seems OK as long as the test suite is enough to exercise this. ===> Regression tests for borgbackup-2.0.0b6p3 = test session starts == platform openbsd7 -- Python 3.10.12, pytest-7.1.3, pluggy-1.2.0 benchmark: 4.0.0 (defaults: timer=time.perf_counter disable_gc=False min_rounds=5 min_time=0.05 max_time=1.0 calibration_precision=10 warmup=False warmup_iterations=10) Tests enabled: root, symlinks, hardlinks, atime/mtime, modes Tests disabled: BSD flags, fuse2, fuse3 rootdir: /usr/obj/ports/borgbackup-2.0.0b6/borgbackup-2.0.0b6, configfile: setup.cfg plugins: xdist-3.3.1, benchmark-4.0.0 collected 1695 items build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/archive.py .. [ 0%] [ 2%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/benchmark.py [ 2%] [ 5%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/cache.py [ 5%] [ 10%] [ 10%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/checksums.py .. [ 10%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/chunker.py .. [ 10%] ... [ 10%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/chunker_pytest.py s [ 10%] sss..[ 11%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/chunker_slow.py . [ 12%] [ 12%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/compress.py . [ 12%] ... [ 14%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/crypto.py ... [ 15%] .[ 15%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/efficient_collection_queue.py . [ 15%] .. [ 15%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/file_integrity.py . [ 15%] .. [ 16%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/hashindex.py [ 17%] ... [ 19%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/hashindex_pytest.py s [ 19%] .s [ 19%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/helpers.py .. [ 19%] [ 24%] .. [ 27%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/item.py . [ 28%] [ 28%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/key.py .. [ 29%] [ 32%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/locking.py .. [ 32%] ... [ 33%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/logger.py [ 33%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/lrucache.py ..[ 33%] build/lib.openbsd-7.3-amd64-cpython-310/borg/testsuite/nanorst.py ..
Re: Switch sysutils/borgbackup/2.0 to openssl-3.0
On Mon, Sep 11, 2023 at 08:49:13PM +0100, Stuart Henderson wrote: > On 2023/09/11 21:48, Theo Buehler wrote: > > On Mon, Sep 11, 2023 at 09:41:39PM +0200, Bjorn Ketelaars wrote: > > > Diff below switches sysutils/borgbackup/2.0 from OpenSSL-1.1 to > > > OpenSSL-3.0. Reason to switch is the EOL status of OpenSSL-1.1.1. > > > > If you land this, please also update the comments regarding bumps at the > > top of the openssl/1.1 and openssl/3.0 Makefiles. > > > > Has anyone ever tested borgbackup on BTI/IBT machines? > > > > Works fine with borgbackup/1.2, but I don't think that uses OCB. My understanding is that only 2.0 links against OpenSSL, so 1.2 should be fine anyway. The rason I'm asking is that I am still unclear to what extent OpenSSL and its consumers are affected by BTI. robert hit some things with node and thus switched it to 3.1 because of its native BTI/IBT support. For borgbackup/2.0 it is not entirely obvious what parts are routed through hashlib/LibreSSL and which parts are directly pulled in from the statically linked openssl. It might be worth running regress tests on a capable machine and if there are issues use 3.1 instead.
Re: Switch sysutils/borgbackup/2.0 to openssl-3.0
On 2023/09/11 21:48, Theo Buehler wrote: > On Mon, Sep 11, 2023 at 09:41:39PM +0200, Bjorn Ketelaars wrote: > > Diff below switches sysutils/borgbackup/2.0 from OpenSSL-1.1 to > > OpenSSL-3.0. Reason to switch is the EOL status of OpenSSL-1.1.1. > > If you land this, please also update the comments regarding bumps at the > top of the openssl/1.1 and openssl/3.0 Makefiles. > > Has anyone ever tested borgbackup on BTI/IBT machines? > Works fine with borgbackup/1.2, but I don't think that uses OCB.
Re: Switch sysutils/borgbackup/2.0 to openssl-3.0
On Mon, Sep 11, 2023 at 09:41:39PM +0200, Bjorn Ketelaars wrote: > Diff below switches sysutils/borgbackup/2.0 from OpenSSL-1.1 to > OpenSSL-3.0. Reason to switch is the EOL status of OpenSSL-1.1.1. If you land this, please also update the comments regarding bumps at the top of the openssl/1.1 and openssl/3.0 Makefiles. Has anyone ever tested borgbackup on BTI/IBT machines?
Switch sysutils/borgbackup/2.0 to openssl-3.0
Diff below switches sysutils/borgbackup/2.0 from OpenSSL-1.1 to OpenSSL-3.0. Reason to switch is the EOL status of OpenSSL-1.1.1. It should be noted that OpenSSL is used for EVP_aes_256_ocb, and is linked statically to avoid conflicting with shared libcrypto from the base OS pulled in via dependencies. Passes all tests, and run tested on amd64. Comments/OK? Index: Makefile === RCS file: /cvs/ports/sysutils/borgbackup/2.0/Makefile,v retrieving revision 1.14 diff -u -p -r1.14 Makefile --- Makefile11 Sep 2023 17:59:47 - 1.14 +++ Makefile11 Sep 2023 19:34:04 - @@ -4,11 +4,11 @@ USE_NOEXECONLY= Yes .endif MODPY_EGG_VERSION =2.0.0b6 -REVISION = 2 +REVISION = 3 # OpenSSL used for EVP_aes_256_ocb. It is linked statically to avoid conflicting # with shared libcrypto from the base OS pulled in via dependencies. -BUILD_DEPENDS =security/openssl/1.1 +BUILD_DEPENDS =security/openssl/3.0 RUN_DEPENDS = security/py-argon2-cffi${MODPY_FLAVOR} \ sysutils/py-platformdirs${MODPY_FLAVOR}>=3.8.1 Index: patches/patch-setup_py === RCS file: patches/patch-setup_py diff -N patches/patch-setup_py --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-setup_py 11 Sep 2023 19:34:04 - @@ -0,0 +1,14 @@ +Index: setup.py +--- setup.py.orig setup.py +@@ -161,8 +161,8 @@ if not on_rtd: + # Use openssl (not libressl) because we need AES-OCB via EVP api. Link + # it statically to avoid conflicting with shared libcrypto from the base + # OS pulled in via dependencies. +-crypto_ext_lib = {"include_dirs": ["/usr/local/include/eopenssl11"]} +-crypto_extra_objects += ["/usr/local/lib/eopenssl11/libcrypto.a"] ++crypto_ext_lib = {"include_dirs": ["/usr/local/include/eopenssl30"]} ++crypto_extra_objects += ["/usr/local/lib/eopenssl30/libcrypto.a"] + else: + crypto_ext_lib = lib_ext_kwargs(pc, "BORG_OPENSSL_PREFIX", "crypto", "libcrypto", ">=1.1.1") +