Moving / renaming OpenSSL ports

Bernard Spil brnrd at freebsd.org
Sun Aug 19 11:31:24 UTC 2018 

On 2018-08-19 0:25, Dewayne Geraghty wrote:
> Bernard,
> Given the silly way that the openssl crew have decided to name their
> releases I think this is a good approach for the moment.  I wonder how
> they'll number an update to 1.1  :)  (1.1A 1.2?) or what an update to
> 1.1.1 - a rod for their own back, I think it a pity the TLS folks did
> not use 2.0 rather than 1.3).
> 
> I've used your wikis a great deal and have found your proactive
> engagement a delight.
> 
> Yes I still build all amd64 ports with libressl.  I'm considering
> migration to libressl-devel because I think this will remove some
> security/libressl tweak complexity.  ;)
> 
> After reviewing your FOSDEM slides -
> - yes there are ports that use base even when told not to, so for 
> libssl
> | libcrtypo - I just remove them, though I do replace them with 
> symlinks.
> - I hadn't seen this SSL_OP_SINGLE_DH_USE before.  We regenerate DH on 
> a
> daily basis in background, so for us its preferred.
> - slide 17 - building without openssl creates deficient libarchive,
> which is ok if you pull via curl and one of the archiver/ tar-like
> files.  Problematic for most users.
> - thank-you for drawing my attention to this PRIVATELIB=true  WOW!
> Great!  I'll also search ports for any use of USEPRIVATELIB so I can
> remove the line ;)
> - pkg is a problem.  We rebuild required ports then remove all ports
> (pkg delete -a), install (via tar) the key ones, then rebuild
> everything.  Convoluted but effective for our purposes
> 
> Excellent presentation, summary of history and references.
> 
> Kind regards, Dewayne
> ps I use security/heimdal ports for all production servers, we build
> 1200+ ports each month - it catches a lot of mismatches.  The
> recommendation to use MIT for anything is unfortunate - why provide the
> US the opportunity for additional sanctions :)  I've found heimdal to 
> be
> ridiculously stable in production AND predictable.

Hi Dewayne,

Thanks for your response! Waiting for some more people to chime in 
before I pull any triggers.

As for libressl-devel, there's no ABI changes sofar and I haven't really 
seen any benefits of using 2.8 over 2.7 sofar. Have you seen anything 
specific?

Heimdal is one of the blockers for updating OpenSSL to 1.1 in base :D

Cheers, Bernard.

More information about the freebsd-ports mailing list