From nobody Sat Dec 11 12:50:55 2021 X-Original-To: dev-commits-ports-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id D755518CAF01; Sat, 11 Dec 2021 12:50:55 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JB71C3jfmz3GSX; Sat, 11 Dec 2021 12:50:55 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 5F8E160DF; Sat, 11 Dec 2021 12:50:55 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1BBCotSG018231; Sat, 11 Dec 2021 12:50:55 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1BBCotvA018230; Sat, 11 Dec 2021 12:50:55 GMT (envelope-from git) Date: Sat, 11 Dec 2021 12:50:55 GMT Message-Id: <202112111250.1BBCotvA018230@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org From: Matthias Andree Subject: git: 7cbf21ebf86d - 2021Q4 - security/openvpn: license incompat mbedTLS, LZO+LibreSSL List-Id: Commits to the quarterly branches of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-branches@freebsd.org X-BeenThere: dev-commits-ports-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: mandree X-Git-Repository: ports X-Git-Refname: refs/heads/2021Q4 X-Git-Reftype: branch X-Git-Commit: 7cbf21ebf86d3aed14016c1e7fb3060d302352fe Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1639227055; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=nL5fLsWLnBdEaRNjLB49UqV/zv4N0E602ktWfjcFhY4=; b=dT9A6rzuk8hEK0HcS+v6sxjIK1iq+PcmZuFsQ72t51HqfZzwl42BqAFaaNqizGR1iQhKFo l0tebmhugKT0CsvzHSDOblDlEEjUtzdeajnZuE3af7P7saRru/IJh5H4c3TF+WP4rNYIR4 GUjaEMJttNXdm7E59bk4Fvs30ogG1SOqX5BIlhf/I6As+fVVrBoJjG0A1CbxUr5U7I83VU Cu4Txb3tBVuqutEwhW3er2JWrCM0LfqNZiNnBZRYwwQt3JiHaL/uO4msPWa0DYeg7x8cNa 9mVUSIjs3Hz0rtA/q2NA1cVHEaJhuEjyCeKnctw1EiiCkDnVtG7AQdGz3Lucsg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1639227055; a=rsa-sha256; cv=none; b=xwpyrgHfyDXY2njQGhLzAzBgpG/1nl+7MNBrSH6i5xUHYDLJzScAiVoDJWfhiI2TcN3pT9 QN5z9rb8tD60L2c+pmITR5d1GHjy+MFhWGDszueaRYMX/tHZVru5oIJmKi+vptTkxf5viT H6ga8lwhrYSsZQ0jIANcnSv41Nu6Y86FBm8/OlN04mX1G5amoyfJFQhwAPkIocL5x3yb2y P8l8Cf//sIyh8ikPh78DdnXac0ynZ7sv3LYHxGFdD6ZabFQ8SGyX5ZPo6f4/mMttqwvJLX sgNyvISVUI2K/Wza6djRKz6jASrC9KlLqRbYcBk2mv1obC8K6zHyBdeIwi/XKA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch 2021Q4 has been updated by mandree: URL: https://cgit.FreeBSD.org/ports/commit/?id=7cbf21ebf86d3aed14016c1e7fb3060d302352fe commit 7cbf21ebf86d3aed14016c1e7fb3060d302352fe Author: Matthias Andree AuthorDate: 2021-12-11 12:38:37 +0000 Commit: Matthias Andree CommitDate: 2021-12-11 12:45:20 +0000 security/openvpn: license incompat mbedTLS, LZO+LibreSSL After reviewing licenses again, - mark mbedTLS broken for now, since it uses the Apache License 2.0, which is incompatible with the GPLv2 (OpenVPN does not employ the "or any later version" escape hatch). This will be handed to the OpenVPN-devel mailing list for review. - block out the combination of LZO with LibreSSL, since OpenVPN only has a linking exception for OpenSSL itself. Remedy is to either forgo LibreSSL, or to disable the LZO option, which requires proper configuration on either end. The maintainer's recommendation is to compile with OpenSSL instead. Bump PORTREVISION in spite of unchanged contents to flush out old packages. MFH: 2021Q4 (cherry picked from commit 5cc978dcfe58a52b9a163e080d855b022ac22545) --- security/openvpn/Makefile | 29 ++++++++++++++++++++++++++--- 1 file changed, 26 insertions(+), 3 deletions(-) diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile index 0c571b012fd6..ff080990626c 100644 --- a/security/openvpn/Makefile +++ b/security/openvpn/Makefile @@ -2,7 +2,7 @@ PORTNAME= openvpn DISTVERSION= 2.5.4 -PORTREVISION?= 1 +PORTREVISION?= 2 CATEGORIES= security net net-vpn MASTER_SITES= https://swupdate.openvpn.org/community/releases/ \ https://build.openvpn.net/downloads/releases/ \ @@ -43,7 +43,8 @@ OPTIONS_SINGLE= SSL OPTIONS_SINGLE_SSL= OPENSSL MBEDTLS ASYNC_PUSH_DESC= Enable async-push support EASYRSA_DESC= Install security/easy-rsa RSA helper package -MBEDTLS_DESC= SSL/TLS via mbedTLS (lacks TLS v1.3) +LZO_DESC= LZO compression support (incompatible with LibreSSL) +MBEDTLS_DESC= LICENSE BROKEN - SSL/TLS via mbedTLS (lacks TLS v1.3) PKCS11_DESC= Use security/pkcs11-helper (OpenSSL only) SMALL_DESC= Build a smaller executable with fewer features TUNNELBLICK_DESC= Tunnelblick XOR scramble patch (READ HELP!) @@ -93,16 +94,38 @@ CFLAGS+= -DLOG_OPENVPN=${LOG_OPENVPN} .include .if ${PORT_OPTIONS:MMBEDTLS} +BROKEN_FreeBSD_14= OpenVPN-mbedTLS fails on FreeBSD 14 +BROKEN= License under clarification, OpenVPN is GPLv2-only and mbedTLS under Apache License 2.0, which are incompatible _tlslibs=libmbedtls libmbedx509 libmbedcrypto .else # OpenSSL _tlslibs=libssl libcrypto .endif +.if ${PORT_OPTIONS:MLZO} +IGNORE_SSL=libressl libressl-devel +IGNORE_SSL_REASON=OpenVPN does not have permission to include LZO with LibreSSL. Compile against OpenSSL, or if your setups support it, disable LZO support +.endif + .if ! ${PORT_OPTIONS:MLZ4} && ! ${PORT_OPTIONS:MLZO} CONFIGURE_ARGS+= --enable-comp-stub .endif +.include + +.if !empty(PORT_OPTIONS:MLZO) && !empty(SSL_DEFAULT:Nbase:Nopenssl*) +# in-depth security net if Mk/Uses/ssl.mk changes +pre-everything:: + @${ECHO_CMD} >&2 "ERROR: OpenVPN is not licensed to combine LZO with other OpenSSL-licensed libraries than OpenSSL. Compile against OpenSSL, or if your setups support it, disable LZO support." + @${SHELL} -c 'exit 1' +.endif + +.if !empty(PORT_OPTIONS:MMBEDTLS) +pre-everything:: + @${ECHO_CMD} >&2 "License under clarification, OpenVPN is GPLv2-only and mbedTLS under Apache License 2.0, which are incompatible." + @${SHELL} -c 'exit 1' +.endif + post-patch: ${REINPLACE_CMD} -E -i '' -e 's/(user|group) nobody/\1 openvpn/' \ -e 's/"nobody"( after init)/"openvpn" \1/' \ @@ -161,4 +184,4 @@ post-install-EXAMPLES-on: ${CHMOD} ${BINMODE} ${STAGEDIR}${EXAMPLESDIR}/sample-scripts/* ${RM} ${STAGEDIR}${EXAMPLESDIR}/sample-config-files/*.orig -.include +.include