From nobody Thu Apr 20 18:46:08 2023 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Q2RSt6Nc8z46RW0 for ; Thu, 20 Apr 2023 18:46:22 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-lj1-f173.google.com (mail-lj1-f173.google.com [209.85.208.173]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Q2RSt36Kkz4Nx1 for ; Thu, 20 Apr 2023 18:46:22 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-lj1-f173.google.com with SMTP id y24so3889402ljm.6 for ; Thu, 20 Apr 2023 11:46:22 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682016381; x=1684608381; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=IfuOu1kRRts21FqgJy58QPNclJlbnWa+vs1Mqo1ROzk=; b=DiVJXEacyYNmJqGmPHn7GAxeh+j2XR1u1yMOgRShpmZ/jc/IOPbZpEf85Z5NDeGRnZ YYgCXHf1/z6YMfDwuUmfQc2/wuSjEc+FtKrNRnXxb5IIqhD0m3Dr41yExlZTTp91cJXR LpXqxhkspQ9yaIuFFJn778voePiX8MdE96EE3/6j9S6cZWL9xws4MSrIyP2o05YekM3+ dXhaKuJtP8dXdqxwOA3S51CYH4jxGdSm7lU/crijhgTKA1SkhmuYy814G09jwpUbIRWn GkgDl7NOvCKHAId5zcfEQxIlgAzs7ClXN4eEXgH+VAW/1OS/CPlapy7Yw82aXqv41+No XakA== X-Gm-Message-State: AAQBX9eS4FHcQzQhFGBmkNguhUYmsj5r3IfwmxJ2IlaIwcz0nX252lW6 umu7A1+a4u3zVbU1UcCmkUMgAw741Dokxnq81umOImyO X-Google-Smtp-Source: AKy350YIu1hsIM0qtycmINH5ijcpfMmg0pePKfbiXj8FUx0GDIo4/N1Cp6CFBLLjFqGNC8jbJFFVXmeYmUPc0iKceq0= X-Received: by 2002:a2e:3511:0:b0:298:6ffd:e856 with SMTP id z17-20020a2e3511000000b002986ffde856mr651722ljz.8.1682016380586; Thu, 20 Apr 2023 11:46:20 -0700 (PDT) List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@freebsd.org MIME-Version: 1.0 References: In-Reply-To: From: Ed Maste Date: Thu, 20 Apr 2023 14:46:08 -0400 Message-ID: Subject: Re: OpenSSL in the FreeBSD base system / FreeBSD 14 To: Joerg Pulz Cc: freebsd-arch Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4Q2RSt36Kkz4Nx1 X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N On Thu, 20 Apr 2023 at 09:14, Joerg Pulz wrote: > > Would the OpenSSL privatelib change mean that it's no longer possible to > build and link base software against libs from ports given that those libs > are linked to OpenSSL from ports then? > > e.g. link base Sendmail (with OpenSSL privatelib) with libsasl from > security/cyrus-sasl2 and libldap from net/openldap26-client which are then > linked with libssl an libcrypto from security/openssl > > or > > link base Heimdal (with OpenSSL privatelib) with libldap from > net/openldap26-client which is then linked with libssl an libcrypto > from security/openssl > > Both examples above are maybe not common but in use by myself since > "ages". Yes, I believe privatelib would preclude use cases like this. The problem is that we have conflicting constraints: OpenSSL 1.1.1 is EOL shortly after 14.0 releases, and there are ports that do not yet build against OpenSSL 3. I am not sure how much will be broken if we update the base system to OpenSSL 3 but leave the privatelib aside (i.e., have the base system provide OpenSSL 3 to ports). > If such setups will no longer work with OpenSSL privatelib and updating > OpenSSL in base is such a complicated, heavy and time consuming task, one > could ask - why use OpenSSL instead of one other SSL implementation in > base at all? This is a good question, and is something that's been discussed on occasion. The base system has some components that depend on OpenSSL right now. If we switch to privatelib it is quite possible that we'll migrate those to something else over time.