www/firefox really depends on security/openssl?

Dr. Peter Voigt pvoigt at uos.de
Tue May 12 23:24:56 UTC 2015 

On Tue, 12 May 2015 03:52:10 -0700
Yuri <yuri at rawbw.com> wrote:

> On 05/12/2015 02:25, Dr. Peter Voigt wrote:
> > Therefore I conclude:
> >
> > - Installing binary packages with pkg does not honor the
> >    WITH_OPENSSL_BASE=yes switch. Is there another place to tell pkg
> > to use base openssl when doing binary installations?
> Binary packages are built with default choices for port options.
> These choices are fixed, and don't depend on your choice of 
> WITH_OPENSSL_BASE=yes in ports.
> Also this option WITH_OPENSSL_BASE=yes should be deprecated ASAP in
> all ports, except maybe very few.

Well, thanks for clarifying.


> > - If port openssl is not present on a system, any dependency to
> > openssl is not detected by porttree.
> 
> OpenSSL is an oddball, because USE_OPENSSL is interpreted in a weird
> way that it tries to detect its port presence and link with it, so
> standard packages are often built with base SSL which is a problem.
> This has been discussed, but I am not sure of when this will be fixed.

If I understand things correctly, this unavoidable mixture of base and
port openssl can lead to serious problems the way as described in
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=198788
This is in particular even more serious due to the API change between
port openssl 1.0.1 and 1.0.2. And even worse: ASM=on is causing trouble
on a lot of hardware. The initial problem in this thread of postfix not
building anymore against new port openssl turned out to be caused by a
more and more getting unstable system with shells and vim core dumping.
A at least temporary solution was to rebuild all ports against base
openssl as many others did. I also tried to downgrade port openssl with
portdowngrade but I did not feel it the right way because it require
some manual interaction which would have to be repeated after ever
ports tree update. And of course it is no solution to stay with an
older release of port openssl excluding me from security patches.


> In short, as I also mentioned before, you won't be able to get rid of 
> OpenSSL port because some packages require it unconditionally. So the 
> best strategy is to use OpenSSL port for everything. You will likely
> be successful if you build them yourself from ports, and fix places
> where base SSL comes into play.

I am getting an idea now why you're recommending to build all ports
against port openssl. However, currently

1.) I cannot get a reliable list of all ports depending on openssl. I
    do not have port openssl installed on my system and porttree fails
    in this case. "make run-depends-list" would do the job, but I don't
    know how to batch run it against all installed ports. On the other
    hand I have carefully logged all steps performed when rebuilding my
    ports against base openssl, e.g. I am having a list of ports
    depending on openssl. I do not know, if this list is complete.

2.) I do not have enough knowledge to "fix" a port refusing to build
    against port openssl. I am not even sure, if I would safely detect
    all such ports.

3.) If I decide to rebuild my ports against port openssl, there is a
    good chance to end up with an unresponsive system as described in
    PR 198788, because of some (undetected) ports insisting on building
    against base openssl instead.

4.) I wish there could be a guideline from FreeBSD experts telling
    people the best strategy of handling openssl without risking an
    unstable system. This should also cover dependency detection.
    I have once migrated my main server from Linux to FreeBSD because
    stability and security are most important for me. This openssl thing
    is getting a bit annoying.

One last thing in the end: While thinking and searching about
openssl dependency checking I have detected that pkg can do a shared
library check. I immediately checked all installed ports for missing
libraries and found a stale dependency of cups-filters against port
openssl. I rebuilt cups-filters against base openssl which in turn
solved my initial issue: www/firefox can now be installed as a package
without beeing forced to install port openssl. And moreover: This even
corrects the build failure of www/firefox. I will immediately
reports this to PR 199404.

Thank you very much for your feedback, advice and valuable discussion.

Peter

More information about the freebsd-ports mailing list