WITHOUT_OPENSSL and make delete-old

Dewayne Geraghty dewayne.geraghty at consciuminternational.com.au
Tue Jul 14 00:46:40 UTC 2015

On 14/07/2015 12:03 AM, Matt Smith wrote:
> Hi, I use the ports version of OpenSSL for everything and don't
> require the base version. As a result I thought I would remove it by
> adding WITHOUT_OPENSSL into /etc/src.conf and running make delete-old
> in /usr/src. However this seems to only want to delete things related
> to kerberos and gssapi, which is understandable as they depend on
> OpenSSL.  However it doesn't seem to touch any OpenSSL files at all.
> Is this a bug or have I missed something?
Matt, I've been down that road.  And for a few years, I installed
openssl port over openssl base.  But things have changed a lot, geli
uses openssl headers, libarchive (hence tar, cpio) and libarchive need
openssl; and of course kerberos, openssh).  Also, if you remove gssapi
then you won't be build gssd (used for kernel/NFS gssapi). 

The way I "get around" this issue is to build a base system that uses
base openssl to build the necessary "base" components, using
WITHOUT_[KERBEROS,OPENSSH].  Using this base system, I build a couple of
jails, which are used to build the ports.  For these jails I remove any
remnants of base openssl.  Then I'm able to build everything and install
onto the production servers only what they need.  (Pay attention to
where base openssl places libcom_err.*, it sometimes slips through. I
have a PR for this; and a build script removes it).

What you loose?  The FreeBSD version of openssl is tweaked by very
knowledgeable members (both Dag-Erling Smorgrav and John-Mark Gurney et
al), so you may want to examine their changes.

There is/was talk about making base openssl - "private" which I believe
will accomplish the same result: base openssl for the base system, and
port openssl for port building.  I don't have details or timeline for
these changes.

Why did I bother? Historically - I installed heimdal 1.0.1 while base
heimdal was at 0.6.3. And for my use case: no nfs, needed additional
ciphers (at the time) and a slightly different attack surface; my build
system works.  :)

I hope I've save you some time.
Regards, Dewayne.

For the talkers: “The superior man acts before he speaks, and afterwards speaks according to his action.”
For everyone else: “Life is really simple, but we insist on making it complicated.”

More information about the freebsd-stable mailing list