Committer needed for PR 208029

Matthew Seaman matthew at FreeBSD.org
Wed Apr 6 15:25:05 UTC 2016 

On 2016/04/06 16:05, Jim Ohlstein wrote:
> Hello,
> 
>> On Apr 6, 2016, at 10:47 AM, Kurt Jaeger <lists at opsec.eu> wrote:
>>
>> Hi!
>>
>>> This is much ado about nothing. The "WITH_OPENSSL_PORT" option is there 
>>> for just this purpose and is used in many ports.
>>
>> In 9.x this is sometimes a problem, if port X builds in variant 1
>> and port Y depends/links on X, but builds in variant 2. So it's
>> a temporary solution for 9.x and will be solved when 9.x is EOL'ed.
>>
>> I'm not sure how this is solved in 10.x/11.x, probably the base SSL
>> is much more up2date.
>>
>>> Forcing users who want to use this port to use OpenSSL from ports for 
>>> ALL ports is overkill.
>>
>>> Think about official packages. Are ALL packages built against OpenSSL 
>>> from ports, or only those that need them? It's the latter, of course. 
>>> Are they incompatible in production? No.
>>
>> There are grey areas, and I guess it will be like that for 9.x.
> 
> Not only 9.x. 10.x has OpenSSL 1.0.1. Some ports require 1.0.2 which is in ports. Openssl 1.1.0 is soon to be released but almost certainly won't be in 11. It's likely to always be an issue. It's up to each individual maintainer to make certain his or her ports behave correctly if binaries link to one another. For a port like this the proper solution is to use the least intrusive option. 

The ultimate solution is that the base copy of openssl will be made
private to the base system, and that any port that needs openssl
functionality will simply use the ports version of openssl.  This is
partly a consequence of packaging of base (coming for 11.0-RELEASE), but
not entirely so.

However, if you do build your own packages via poudriere or otherwise,
then it is a good idea to set WITH_OPENSSL_PORT=yes' globally.  It make
it much easier to do useful security related things like /remove SSLv2
and SSLv3 support entirely/.

	Cheers,

	Matthew


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 972 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20160406/8f7e3abf/attachment.sig>

More information about the freebsd-ports mailing list