SA-04:05 single patch && bsd.openssl.mk problem
Jacques A. Vidrine
nectar at FreeBSD.org
Wed Apr 14 10:56:04 PDT 2004
On Wed, Apr 14, 2004 at 05:49:25PM +0000, Bjoern A. Zeeb wrote:
> Hi,
>
> when applying the patch from SA-04:05[1] and re-building changed parts
> of the base system opensslv.h does not get altered with the update
> like it did with the commits to the various branches [2].
Often the patch file will have changes to version strings elided
in order to facilitate actual patching.
> [1] ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-04:05/openssl.patch
> [2] p.ex. http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/openssl/crypto/opensslv.h.diff?r1=1.1.1.1.2.8&r2=1.1.1.1.2.9
>
> bsd.openssl.mk now doing a string compare on p.ex. "0.9.7a-p1" which
> will fail. Thus ports that set USE_OPENSSL will depend on the
> openssl package.
>
> This logic is broken as the base system is patched and the openssl
> package is not needed.
Put USE_OPENSSL_BASE=yes in /etc/make.conf to defeat bsd.openssl.mk's
logic.
> So the SA patches should also update the version strings in headers
In general, this will be avoided.
> - or more general commit the same parts (only) that get published
> as single patches
Providing patches really serves a different purpose than what you
want. It is provided (a) to illustrate the actual problem; (b) to
allow people who ``know what they are doing'' to patch their systems,
even if they are running something quite different from stock FreeBSD.
> (or even better the other way round: should publish
> a complete single patch from what got previously committed).
Since actual patches are in CVS, it makes little sense to duplicate
them on the FTP site.
> What short term solutions are there for people building ports
> [ I do not really like any of those ] ?
>
> - setting USE_OPENSSL_BASE=yes seems to be a possible workaround
> forcing the version of the base system and not the port to be used.
> - patching the header file by hand is not a real solution but should
> work too.
>
> - would it be possible to make the check in bsd.openssl.mk somehow
> more intelligent to better detect a patched version ?
>
> - ... ?
Use CVSup, CVS, or cvsweb to update your local files if you want to
track security branches.
Cheers,
--
Jacques Vidrine / nectar at celabo.org / jvidrine at verio.net / nectar at freebsd.org
More information about the freebsd-ports
mailing list