Moving / renaming OpenSSL ports
Bernard Spil
brnrd at freebsd.org
Sun Aug 19 11:31:24 UTC 2018
On 2018-08-19 0:25, Dewayne Geraghty wrote:
> Bernard,
> Given the silly way that the openssl crew have decided to name their
> releases I think this is a good approach for the moment. I wonder how
> they'll number an update to 1.1 :) (1.1A 1.2?) or what an update to
> 1.1.1 - a rod for their own back, I think it a pity the TLS folks did
> not use 2.0 rather than 1.3).
>
> I've used your wikis a great deal and have found your proactive
> engagement a delight.
>
> Yes I still build all amd64 ports with libressl. I'm considering
> migration to libressl-devel because I think this will remove some
> security/libressl tweak complexity. ;)
>
> After reviewing your FOSDEM slides -
> - yes there are ports that use base even when told not to, so for
> libssl
> | libcrtypo - I just remove them, though I do replace them with
> symlinks.
> - I hadn't seen this SSL_OP_SINGLE_DH_USE before. We regenerate DH on
> a
> daily basis in background, so for us its preferred.
> - slide 17 - building without openssl creates deficient libarchive,
> which is ok if you pull via curl and one of the archiver/ tar-like
> files. Problematic for most users.
> - thank-you for drawing my attention to this PRIVATELIB=true WOW!
> Great! I'll also search ports for any use of USEPRIVATELIB so I can
> remove the line ;)
> - pkg is a problem. We rebuild required ports then remove all ports
> (pkg delete -a), install (via tar) the key ones, then rebuild
> everything. Convoluted but effective for our purposes
>
> Excellent presentation, summary of history and references.
>
> Kind regards, Dewayne
> ps I use security/heimdal ports for all production servers, we build
> 1200+ ports each month - it catches a lot of mismatches. The
> recommendation to use MIT for anything is unfortunate - why provide the
> US the opportunity for additional sanctions :) I've found heimdal to
> be
> ridiculously stable in production AND predictable.
Hi Dewayne,
Thanks for your response! Waiting for some more people to chime in
before I pull any triggers.
As for libressl-devel, there's no ABI changes sofar and I haven't really
seen any benefits of using 2.8 over 2.7 sofar. Have you seen anything
specific?
Heimdal is one of the blockers for updating OpenSSL to 1.1 in base :D
Cheers, Bernard.
More information about the freebsd-ports
mailing list