[HEADSUP] change in default openssl coming

Franco Fichtner franco at lastsummer.de
Fri Jul 8 10:04:34 UTC 2016 

> On 08 Jul 2016, at 11:45 AM, Mark Millard <markmi at dsl-only.net> wrote:
> 
> Mathieu Arnold mat at FreeBSD.org wrote on Fri Jul 8 06:26:33 UTC 2016:
> 
>> I will be changing the
>> default OpenSSL for the ports tree from the base system version to
>> security/openssl.
> 
> 
> This could be odd for something like ports-mgmt/pkg if it currently uses the base system version: needing to have had already built security/openssl in order to build/use pkg.

This needs to be built against base if it doesn't want to bundle the
library.  On a slightly related note, bapt@ added that pkg(8) doesn't
necessarily need OpenSSL, but the implementation of required algorithms
are faster than available alternatives.  And it's just that OpenSSL
is such a large project that bundling makes it difficult.

A large portion of work in early 2015 focused on making OpenSSL ports
build dependencies reliable, because LibreSSL from ports wasn't really
working as many ports supposedly using OpenSSL from ports were using
OpenSSL from base.  Things have changed considerably in 1.5 years.

I think the main motivation here is: fixing security issues faster
and depending less on base where possible to allow major upgrades to
take place of said SSL libraries.

The other one was that base OpenSSL should be more private, for that
same reason or another.

As another example of how this might be useful: HardenedBSD can build
LibreSSL base, but for people still needing OpenSSL in order not to
jeopardise their job security the default of using the ports version
would be the way to go.

On OPNsense, we even build parallel tracks for OpenSSL and LibreSSL
from ports and it's therefore possible to migrate from one track to
the other as pkg(8) thinks it's upgrading to a new version where shared
library dependencies changed.  ;)

I think what's bad now is that the SSL port chosen is exclusive to
the repository due to files installed.  Switching to OpenSSL from
ports will prevent ports that do depend on LibreSSL's shared library
libtls.so from working, because OpenSSL is so deeply tied into today's
software that it will be on almost any default installation.


Cheers,
Franco

More information about the freebsd-ports mailing list