Using LibreSSL with only one or a subset of all installed ports

Nick Rogers ncrogers at gmail.com
Wed Feb 6 22:32:47 UTC 2019 

On Wed, Feb 6, 2019 at 1:59 PM Kevin Oberman <rkoberman at gmail.com> wrote:

> On Wed, Feb 6, 2019 at 7:55 AM Nick Rogers <ncrogers at gmail.com> wrote:
>
>> I am wondering if it is wise or possible to use libressl for only a single
>> installed port, while continuing to use OpenSSL from Base for all
>> remaining
>> installed ports. I would like to do this in order to get around the fact
>> that lang/phantomjs does not compile against openssl 1.1.x due to API
>> changes, and fixing it is less than trivial. However, I am not quite ready
>> to switch other ports to LibreSSL.
>>
>> My thought was to use the following approach in make.conf when building
>> via
>> poudriere.
>>
>> .if ${.CURDIR:M*/lang/phantomjs}
>> DEFAULT_VERSIONS+= ssl=libressl
>> .endif
>>
>> I am hoping for some advice as to whether or not this will work, or if its
>> a terrible idea, or if there is perhaps a better way to toggle libressl
>> per-port. All the port documentation I can find suggests an outright
>> switch
>> to libressl for all ports, so I am concerned there is something I am
>> missing that will not be happy?
>>
>
> Along this path lies madness! Not that it can't work, but it is very
> dangerous and likely to get more complicated over time.
>
> The problem is with having multiple sharable libraries (.so) of the same
> name. The loader will refuse to load an executable if it attempts to load
> two or more shareable libraries that have a common name as it is not
> possible to determine which library to use for any reverence. If phantomjs
> calls ssl routines directly and also is linked to a shareable that is
> linked to either the openssl port installed shareable or the base system
> shareable, the code will not load. As linkages grow more and more complex,
> this tends to turn into a real rats nest.
>
> I'm not saying that it can't be done, but you have to know all of the
> linkages and be very sure that there are no conflicts.
>

Thanks for the input. I currently exclusively use OpenSSL in base, so I was
hoping there was something sane and similar to control using base vs.
security/openssl, like the WITH_OPENSSL_PORT and WITH_OPENSSL_BASE knobs,
only for libressl. It looks like security/openssl is still on 1.0, so I
might be able to get phantomjs working with security/openssl and continue
using base for other ports.

--
> Kevin Oberman, Part time kid herder and retired Network Engineer
> E-mail: rkoberman at gmail.com
> PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683
>

More information about the freebsd-ports mailing list