[HEADSUP] change in default openssl coming

Matthew Seaman matthew at FreeBSD.org
Fri Jul 8 10:15:55 UTC 2016 

On 07/08/16 10:45, Mark Millard wrote:
> Mathieu Arnold mat at FreeBSD.org wrote on Fri Jul 8 06:26:33 UTC 2016:
> 
>> > I will be changing the
>> > default OpenSSL for the ports tree from the base system version to
>> > security/openssl.
> 
> This could be odd for something like ports-mgmt/pkg if it currently
> uses the base system version: needing to have had already built
> security/openssl in order to build/use pkg.
> 
> pkg tends to depend on the base system or have its own copies of
> things so that it is largely self contained --at lest that is my
> general understanding.
> 
> I'm only using ports-mgmt/pkg as an illustration of an idea: I might
> be wrong about it using openssl for example. There might be other
> things besides ports-mgmt/pkg that might have such a relationship to
> the base system, sort of a bootstrapping issue.
> 
> I'll note that I sometimes use powerpc and/or powerpc64 where
> source-based builds are required: no binary distributions are
> generally available for ports for them.

Yes -- that is a problem with pkg(8).  We don't want pkg(8) to have any
dependencies on other packages (outside of the base system), as that
complicates bootstrapping.  So there are three possible solutions here:

   * Use a statically linked version of pkg(8).  This is already done
     for bootstrapping pkg itself, but it's not favoured in general as
     static linkage prevents some of the other pkg functionality
     working.

   * Move pkg into the base system.  This is probably going to happen
     eventually, but the reasons for keeping pkg(8) separate are still
     valid: if pkg(8) development is tied to the OS release cycle, and
     consequently there are numerous different versions in use, it's
     going to slow down development, make supporting all the different
     OS release versions with binary packages much harder and make it
     much more difficult to push out bug fixes to pkg(8) specifically.

   * Make an exception for pkg(8) and allow it to continue using SSL
     libraries from the base system.

   * Import some sort of SSL library directly into the pkg(8) sources,
     in the same way that pkg(8) already pulls in libfetch and sqlite3.

One of the last two is going to be the solution for the foreseeable
future, with the 'move pkg(8) into base' solution being a much longer
term goal, once the pace of development on pkg(8) has stabilized.

Pkg(8) really is an exception here though.  Once pkg(8) is in place,
then *any* *other* package can be handled with whatever arbitrarily
complicated dependency tree is required.  It's already possible to
compile your own ports against the ports version of openssl or even to
use libressl instead.  Works like a charm, and switching between any of
these scenarios is something that  pkg(8) already handles gracefully for
you. (I speak from experience.) The only concern is people being too
timid to update everything that needs this treatment at once -- in which
case there are some unusual scenarios in which you could get two
different copies of openssl shlibs dynamically loaded into one program
image, and that generally results in instant program abort and core
dump.  The Kerberos libs Mat mentioned are simply the most prominent
example of that sort of thing in the ports at the moment.

	Cheers,

	Matthew


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20160708/3d93c29b/attachment.sig>

More information about the freebsd-ports mailing list