From nobody Sat Dec 11 12:42:48 2021 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 11E7418C987F; Sat, 11 Dec 2021 12:42:49 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JB6qr5B3Xz3FvK; Sat, 11 Dec 2021 12:42:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 91C0D5EFA; Sat, 11 Dec 2021 12:42:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1BBCgmuE006954; Sat, 11 Dec 2021 12:42:48 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1BBCgmrU006953; Sat, 11 Dec 2021 12:42:48 GMT (envelope-from git) Date: Sat, 11 Dec 2021 12:42:48 GMT Message-Id: <202112111242.1BBCgmrU006953@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Matthias Andree Subject: git: 5cc978dcfe58 - main - security/openvpn: license incompat mbedTLS, LZO+LibreSSL List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: mandree X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 5cc978dcfe58a52b9a163e080d855b022ac22545 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1639226568; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=vqB5zdB19PP555pTxEYWOpaJVKQFk5Rf4BV63awbF3k=; b=qlAba1KpyHE6kPOjJwUxUiu4S+3+UboELOlshYUx2gBg52/g0/i+RNj7J1Mgbgt2Wb1qsP 1igmrAL5R8n3BLXX/m264Nb9R32KdrCRGLNSAmKL1jmePUXQgA60d/JheDfUMU+2C/N5/H uuMhlmwt1aX9xrgpHVZfsUUfyJZxI4Yi3IlOt5cpSqwkpkFbhkEI8bqqyTclaDUzSGz0Af 1KhuxnoKMIoPcfB064m6IW5/YAEqLlHcn+8ifIMQ3KIxK+bCeNEFgvwicNtT1+PKQhwwKh oa5aaWon5NHhanEUhAw5/bNBoYhxldkTXH+PO4gEZ/6GlVqQD2YSvrqg4sN3kg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1639226568; a=rsa-sha256; cv=none; b=eJ7gBiGBPAubqv1mjIDCU/ACB8zsUnwxNApwaE7Hr+Mhg0XUHcnys1aJ8N/o8j1gzufxkx GXDMXxNsB0yxRReUDKLBztXJvGffioR7B9NSeD3YXmAu3PCYeBPbMOYhmFvpOLa6Q2t2do sIoYUhkacSsOJ6CJ84zUEg/fnHKyjHZMH+d/Hb02lfUgMqnfVYqpMqnKpgfmmZqzO16s8n oP0vSwcBR0+fMc8TxI0hFny1jPTxwVzwwi9Y58CCz81GhTH9vl8FOEpwW1QNUY/FhK4/Tv QQ3kR1GvoyFHLHBfNol8eoqbMPx5AeB0LoPoEWeVkd0r9RKMDnN/jqbT1g+Vlw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by mandree: URL: https://cgit.FreeBSD.org/ports/commit/?id=5cc978dcfe58a52b9a163e080d855b022ac22545 commit 5cc978dcfe58a52b9a163e080d855b022ac22545 Author: Matthias Andree AuthorDate: 2021-12-11 12:38:37 +0000 Commit: Matthias Andree CommitDate: 2021-12-11 12:42:31 +0000 security/openvpn: license incompat mbedTLS, LZO+LibreSSL After reviewing licenses again, - mark mbedTLS broken for now, since it uses the Apache License 2.0, which is incompatible with the GPLv2 (OpenVPN does not employ the "or any later version" escape hatch). This will be handed to the OpenVPN-devel mailing list for review. - block out the combination of LZO with LibreSSL, since OpenVPN only has a linking exception for OpenSSL itself. Remedy is to either forgo LibreSSL, or to disable the LZO option, which requires proper configuration on either end. The maintainer's recommendation is to compile with OpenSSL instead. Bump PORTREVISION in spite of unchanged contents to flush out old packages. MFH: 2021Q4 --- security/openvpn/Makefile | 28 +++++++++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile index 491d24572863..4dbee597511b 100644 --- a/security/openvpn/Makefile +++ b/security/openvpn/Makefile @@ -2,7 +2,7 @@ PORTNAME= openvpn DISTVERSION= 2.5.4 -PORTREVISION?= 1 +PORTREVISION?= 2 CATEGORIES= security net net-vpn MASTER_SITES= https://swupdate.openvpn.org/community/releases/ \ https://build.openvpn.net/downloads/releases/ \ @@ -43,7 +43,8 @@ OPTIONS_SINGLE= SSL OPTIONS_SINGLE_SSL= OPENSSL MBEDTLS ASYNC_PUSH_DESC= Enable async-push support EASYRSA_DESC= Install security/easy-rsa RSA helper package -MBEDTLS_DESC= SSL/TLS via mbedTLS (lacks TLS v1.3) +LZO_DESC= LZO compression support (incompatible with LibreSSL) +MBEDTLS_DESC= LICENSE BROKEN - SSL/TLS via mbedTLS (lacks TLS v1.3) PKCS11_DESC= Use security/pkcs11-helper (OpenSSL only) SMALL_DESC= Build a smaller executable with fewer features TUNNELBLICK_DESC= Tunnelblick XOR scramble patch (READ HELP!) @@ -94,16 +95,37 @@ CFLAGS+= -DLOG_OPENVPN=${LOG_OPENVPN} .if ${PORT_OPTIONS:MMBEDTLS} BROKEN_FreeBSD_14= OpenVPN-mbedTLS fails on FreeBSD 14 +BROKEN= License under clarification, OpenVPN is GPLv2-only and mbedTLS under Apache License 2.0, which are incompatible _tlslibs=libmbedtls libmbedx509 libmbedcrypto .else # OpenSSL _tlslibs=libssl libcrypto .endif +.if ${PORT_OPTIONS:MLZO} +IGNORE_SSL=libressl libressl-devel +IGNORE_SSL_REASON=OpenVPN does not have permission to include LZO with LibreSSL. Compile against OpenSSL, or if your setups support it, disable LZO support +.endif + .if ! ${PORT_OPTIONS:MLZ4} && ! ${PORT_OPTIONS:MLZO} CONFIGURE_ARGS+= --enable-comp-stub .endif +.include + +.if !empty(PORT_OPTIONS:MLZO) && !empty(SSL_DEFAULT:Nbase:Nopenssl*) +# in-depth security net if Mk/Uses/ssl.mk changes +pre-everything:: + @${ECHO_CMD} >&2 "ERROR: OpenVPN is not licensed to combine LZO with other OpenSSL-licensed libraries than OpenSSL. Compile against OpenSSL, or if your setups support it, disable LZO support." + @${SHELL} -c 'exit 1' +.endif + +.if !empty(PORT_OPTIONS:MMBEDTLS) +pre-everything:: + @${ECHO_CMD} >&2 "License under clarification, OpenVPN is GPLv2-only and mbedTLS under Apache License 2.0, which are incompatible." + @${SHELL} -c 'exit 1' +.endif + post-patch: ${REINPLACE_CMD} -E -i '' -e 's/(user|group) nobody/\1 openvpn/' \ -e 's/"nobody"( after init)/"openvpn" \1/' \ @@ -162,4 +184,4 @@ post-install-EXAMPLES-on: ${CHMOD} ${BINMODE} ${STAGEDIR}${EXAMPLESDIR}/sample-scripts/* ${RM} ${STAGEDIR}${EXAMPLESDIR}/sample-config-files/*.orig -.include +.include