ignoring openssl port
Toomas Aas
toomas.aas at raad.tartu.ee
Tue Oct 14 06:37:10 PDT 2003
Hello!
On Mon, 4 Aug 2003 14:48:38 +0300, I wrote:
> Some of my machines were running RELENG_4_7 when I installed ports such
> as apache13_modssl and cyrus-imapd on them. Since that version of
> FreeBSD had OpenSSL 0.9.6 in the base system and these ports required
> 0.9.7, I ended up with openssl port installed on these systems.
> Now that I'm upgrading to RELENG_4_8, which includes OpenSSL 0.9.7, I
> want to get rid of the port. It would just feel cleaner to not have
> multiple versions of same libraries in /usr/lib and /usr/local/lib.
Among several recommendations of how to get rid of the port, the best
one seemed to be from Matthew Seaman: define WITH_OPENSSL_BASE=yes,
rebuild the dependent ports (make build while the old port is still
running), and then "make install" the port. Then remove the OpenSSL
port.
Back then I decided that I can live with both base and port version of
OpenSSL installed, and I decided not to spend time on following this
advice.
Now, in light of recent OpenSSL security advisories, something needs to
be done. I have upgraded the base system to 4.8-RELEASE-p13, so the
base OpenSSL should be safe. I have two options right now:
(1) upgrade the port
(2) get rid of the port, leaving only the base system OpenSSL installed
(what I wanted to do back in August)
I'd like to use option (2), so I tried to follow Matthew Seaman's
advice. I put WITH_OPENSSL_BASE=yes into /etc/make.conf and tried to
run 'make build' in /usr/ports/www/apache13-modssl. This resulted in
the following message:
This port wants the OpenSSL library from the FreeBSD base system. You
can't build against it, while a newer Version is installed by a port.
Please deinstall the port or undefine WITH_OPENSSL_BASE.
I found the place which causes this message in
/usr/ports/Mk/bsd.port.mk:
.if exists(${LOCALBASE}/lib/libcrypto.so)
.BEGIN:
@${ECHO_CMD} "This port wants the OpenSSL library from the
FreeBSD" @${ECHO_CMD} "base system. You can't build against it,
while a newer" @${ECHO_CMD} "Version is installed by a port."
@${ECHO_CMD} "Please deinstall the port or undefine
WITH_OPENSSL_BASE." @${FALSE}
.endif
Looking at this while not being a Makefile guru, it seems to me that
this merely checks if /usr/local/lib/libcrypto.so exists and if it does
then the port build process is halted with the message. But this would
mean that WITH_OPENSSL_BASE cannot be used at all if the port is
installed. If that were true, there wouldn't be any point in having
this variable in the first place, so I must be overlooking something.
Anyway, I tried commenting out the above passage in
/usr/ports/Mk/bsd.port.mk and rebuilding another port which depends on
OpenSSL, namely /usr/ports/ftp/wget. I checked with
ldd /usr/local/bin/wget
before and after installing and this showed that now I indeed have wget
linked against /usr/lib/libssl.so.3, whereas before it was linked
against /usr/local/lib/libssl.so.3.
Before I try the same with apache13-modssl port, I just wanted to
verify if commenting out the above passage in /usr/ports/Mk/bsd.port.mk
can cause any unforeseen damage.
Sorry for the long message. When I started out I didn't realise that
it takes so many keystrokes to word such a simple question ;-)
--
Toomas Aas | toomas.aas at raad.tartu.ee | http://www.raad.tartu.ee/~toomas/
* Key ring - a handy little gadget that allows you to lose all your keys at once.
More information about the freebsd-questions
mailing list