On 9/17/2016 09:47, John Marino wrote:
The DPorts tree has been audited and fixed to work with dports-based SSL
libraries such as:
  /security/openssl-devel (untested)
  /security/libressl-devel (untested)

Currently they will still build with the DF base openssl libraries.  If
you want to use one of the dports SSL libraries above, put
"SSL_DEFAULT=<portname>" in your make.conf and rebuild them all.

For example, put:
in /usr/local/etc/synth/LiveSystem-make.conf
and use synth to rebuild all packages, then reinstall from your local

In about a week, the dports framework will be changed to use
dports-based libressl be default ON MASTER (existing releases will still
use base openssl), so if you want something else on master you need to
set SSL_DEFAULT anyway.  (Note that there are a few ports that are
OpenSSL-only, so those will only be available to people that build their
own packages with SSL_DEFAULT=openssl set in the future).

You can maintain the current behavior by setting "SSL_DEFAULT=base" in
make.conf, but at some point we are going to unhook the base OpenSSL
from the build by default.

Let's pick a date, say 14 October 2016.
I proposed that after that point, the base openSSL will not longer build
and "make upgrade" will remove it from the system.  We can have a new
build variable, e.g. KEEP_OPENSSL, that would keep building it and not
remove it during upgrade, but that variable would probably be removed
before the next release.

If anyone has a big issue with that proposal, just speak up.  Nothing is
set in stone yet.

To follow up, I just pushed a commit that implements the following:
1) OpenSSL will no longer be built by default
2) Existing libraries, headers, and man pages will remain installed
3) Those can be removed with "make upgrade REMOVE_OPENSSL_FILES=yes after the next installworld 4) For the next 4 weeks or so, the base OpenSSL can be built with the rest of base if FORCE_OPENSSL=yes is set in /etc/make.conf.


The DPorts packages have been built with the dports-default LibreSSL for a few weeks now, so if the system has current packages, the chances are that nothing on the system links to base openssl, but any software built outside of ports might do so. Once it's verified that nothing links to base OpenSSL, I'd recommend removing it.

In about a month, I believe we'll remove the OpenSSL sources and makefiles completely.


This email has been checked for viruses by Avast antivirus software.

Reply via email to