base components should always be default (Re: change in default openssl coming)

Guido Falsi mad at
Sat Jul 9 21:14:14 UTC 2016

On 07/09/16 22:40, Thierry Thomas wrote:
> Le sam  9 jul 16 à 20:35:59 +0200, Guido Falsi <mad at>
>  écrivait :
>> But that option will not change the basic problem of how the OS is
>> developed. FreeBSD base will anyway include OpenSSL even though users
>> can choose(and have been able to for a long while) too not install it.
> But with a packaged base, OpenSSL from base and OpenSSL from ports could
> be merged.

Don't think that's an option. Having base depend on a port which can
change below it would be a major cause of instability.

Also the port's OpenSSL could change API/ABI at any time, while base
software cannot follow such a schedule.

Base software requires a stable API, and needs to be tested each time
the library below it changes.

I think the only viable solution to this is making base OpenSSL a
private library not exposed externally (like other libraries in base) so
it is decoupled. As I said this would remove the need for stability of
the exposed ABI/API allowing base to update it whenever it's needed, and
also migrating to another implementation if that's what developers
choose to do.

This is also complicated by ports having mixed requirements. Certain
ported software depends on the latest and greatest SSL library, others
depend on older APIs, so ports have to cater for these needs too, which
are in sharp contrast with base ones.

I agree that packages base anyway helps with making openssl private.

The point is, ports have a need to allow for linking with a vast array
of SSL libraries (two versions of OpenSSL and the various LibreSSL
PolarSSL and others), base needs a stable one with tested compatibility
at each slightest change.

Guido Falsi <mad at>

More information about the freebsd-ports mailing list