ports requiring OpenSSL not honouring OpenSSL from ports

[Scot Hetzel]

On Sun, Apr 27, 2014 at 10:08 AM, Jamie Landeg-Jones
<jamie at dyslexicfish.net> wrote:
> One of the first things I do on installing a new machine is install
> OpenSSL from ports. I do build with base OpenSSL due to the many programs
> that depend on it, but using ports OpenSSL for ports makes things easier
> to patch/update.
>
> In the case of Heartbleed, for example, I was able to fix ports OpenSSL
> much sooner than base.
>
> In the process, however, I discovered a couple of ports that built against
> base even when the port was installed. I was going to supply patches /
> notify the maintainers, but first did a check, and discovered that a lot
> of current ports do similar.
>
> It turns out that this wasn't a problem specifically, but more generally,
> it's possible that someone may think a port has been patched when it hasn't.
>
> Basically what I'm asking: Shouldn't a port that uses OpenSSL *always*
> build against the port if it's installed?
>
The port should use the OpenSSL port if it is installed, unless the
port sets one of these variables in it's Makefile:

WITH_OPENSSL_BASE
USE_OPENSSL_BASE

The port shouldn't be setting these variables.

Do you have a list of which ports used the OpenSSL from base, instead
of the installed OpenSSL port?
Could you check if they set these variables.

> I realise this isn't always possible to test, especially if the port Makefile
> doesn't have any openSSL configuration options, but I'd like to hear
> others opinions on the matter.
>
> [ Not crossposted to ports@ as I'm unsure onbcross-posting etiqurtte, but
>   feel free to add them in if appropriate ]
>

This is more of a ports issue, than a security issue.

Post the list of affected ports to ports@, and/or submit PRs to
correct the them.


-- 
DISCLAIMER:

No electrons were maimed while sending this message. Only slightly bruised.