ports/187076: PREFIX!=/usr/local prevents package build for security/openssl, sysutils/monit
Dewayne Geraghty
dewayne.geraghty at heuristicsystems.com.au
Mon Mar 3 11:20:01 UTC 2014
The following reply was made to PR ports/187076; it has been noted by GNATS.
From: Dewayne Geraghty <dewayne.geraghty at heuristicsystems.com.au>
To: Dirk Meyer <dirk.meyer at dinoex.sub.org>, FreeBSD-gnats-submit at FreeBSD.org
Cc:
Subject: Re: ports/187076: PREFIX!=/usr/local prevents package build for security/openssl,sysutils/monit
Date: Mon, 03 Mar 2014 22:06:26 +1100
On 3/03/2014 5:21 PM, Dirk Meyer wrote:
> Hallo Dewayne Geraghty,
>
>> Though I have been building openssl from ports into the base system for
>> since 2006. And that is where it resides today, in all the servers that
>> we have deployed to customers, along with select packages like heimdal
>> and openssh (into /usr).
> OpenSSL in base has only been working in FreeBSD 4.x
>
>> [...] than I do ensuring that we have latest executables, libs.
> Sadly this ist not the case.
>
> the base apps will still use the old base libs.
>
> $ ldd /usr/sbin/sshd | grep libcrypto
> libcrypto.so.6 => /lib/libcrypto.so.6 (0x33e5a000)
>
> $ ldd /usr/sbin/wpa_supplicant
> libssl.so.6 => /usr/lib/libssl.so.6 (0x33d05000)
> libcrypto.so.6 => /lib/libcrypto.so.6 (0x33d51000)
>
>> I had considered building packages for a non /usr location but that
>> wasn't really the right thing to do, so its a balancing act. The
>> argument regarding libcrypt.so.6 and others is reasonable.
> You are in luck that the config location is different.
> /usr/ssl/openssl.conf
> /usr/openssl/openssl.conf
>
> else your apps might not work at all.
>
> kind regards Dirk
>
> - Dirk Meyer, Im Grund 4, 34317 Habichtswald, Germany
>
>
Thank-you Dirk, You're quite right. Though I avoid those problems by
using a skeleton FreeBSD, where I don't build ssh, heimdal, hostapd,
named, ntp during a system build but rely upon packages from ports.
Some time ago, I used to not build openssl, however subsequent geom_eli
versions pulled in some headers from the base openssl, requiring a
simple work-around. More recently pkg_* and fetch need libssl or
libcrypto ... but it is gssd that really upset the apple-cart (made
things difficult).
Yes many of the base applications use libcrypt.so.6 and less than 10 use
libssl.so.6. Of the 487 ports that I use, the only port that require
these libraries is pkg. The other ports build cleanly with
libcrypto.so.8 &/or libssl.so.8. I'm probably fortunate that none link
to both lib{ssl,crypto}.so.6 and .8, but for those that do, maybe they
should be corrected?
Thank-you for your thoughts, you've reminded me what a nuisance this was
when I first took this path (of replacing base contributions with
packaged elements). But there is some consolation that I regard an
operating system only as useful as the applications that it reliably
runs - the base elements of FreeBSD: Kernel, IO, network infrastructure,
device and memory management provide an outstanding base platform but
its the ports system that provides utility to businesses, and, with
timely revisions provides for more than just a fun experience; a genuine
business advantage. :)
Unfortunately there is no luck involved, careful analysis and planning
is required. And your choice of wpa_supplicant is a poignant example,
as it is at revision 0.7.3 (on FreeBSD 9.2Stable) while the latest
software is at revision 2.1
(http://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog). I would
probably use a port if it was available, because TLS1.2 is attractive,
though if the FreeBSD developers have left this software alone, its
precautionary to examine why more closely. ;)
Kind regards, Dewayne
Australia.
More information about the freebsd-ports-bugs
mailing list