Re: dns/bind916 builds rust unexpectedly

From: Guido Falsi <>
Date: Tue, 26 Sep 2023 07:17:21 UTC
On 26/09/23 08:53, Helge Oldach wrote:
> Gareth de Vaux wrote on Mon, 25 Sep 2023 17:06:54 +0200 (CEST):
>> Hi all, I've just upgraded bind916 which brought half my system down since
>> it suddenly required a mountain of python packages and rust which needed
>> around 13GB (and hours) to build - space which I didn't have nor have ever
>> remotely expected to need for a ports build.
>> My bind configuration options are basically the defaults:
>> # grep OPTIONS_FILE_SET /var/db/ports/dns_bind916/options
>> These are the top level dependencies:
>> # make -C /usr/ports/dns/bind916 build-depends-list
>> /usr/ports/ports-mgmt/pkg
>> /usr/ports/textproc/py-sphinx
>> /usr/ports/devel/pkgconf
>> /usr/ports/security/openssl
>> /usr/ports/converters/libiconv
>> /usr/ports/devel/libuv
>> /usr/ports/textproc/libxml2
>> /usr/ports/dns/libidn2
>> /usr/ports/devel/json-c
>> /usr/ports/databases/lmdb
>> /usr/ports/devel/libedit
>> Does anyone know which option/dependency is causing this? I suspect
>> MANPAGES -> py-sphinx since it has 'py' but who knows. Which itself would
>> be crazy that just a manpage would trigger this kind of intense build.
> Indeed, it's py-sphinx, requiring py-openssl at some stage, which is in
> turn requiring py-cryptography which needs rust.
> DEFAULT_VERSIONS+=pycryptography=legacy
> in make.conf fixed this BS for me. Beware of the dogs, you might get
> bitten by software that requires the new py-cryptography - I did stumble
> over py-certbot and py-awscli for example.

py-cryptography was kept at an old version for a long time, for various 
reasons, the new mandatory dependency on rust being the main one.

But that old version does not work with OpenSSL 3, so the update of 
OpenSSL in FreeBSD 14 imposed the update of py-cryptography.

This is the perfect example of why I say:

- there are external pressures we have little power on (keeping an old 
OpenSSL indefinitely is not an option)
- keeping old version of software (to avoid heavy dependencies or 
whatever) is a landmine waiting to go off

The problem showed up now because the landmine of keeping an old version 
of py-cryptography in the tree finally went off.

I'm sure there are more similar landmines waiting to explode under our 
feet in the ports tree.

Guido Falsi <>