svn commit: r428138 - head/security/py-cryptography

Mathieu Arnold mat at FreeBSD.org
Fri Dec 9 14:27:13 UTC 2016 

Le 09/12/2016 à 15:19, Mark Felder a écrit :
>
> On Fri, Dec 9, 2016, at 04:12, Mathieu Arnold wrote:
>> Le 08/12/2016 à 18:07, Mark Felder a écrit :
>>> Author: feld
>>> Date: Thu Dec  8 17:07:22 2016
>>> New Revision: 428138
>>> URL: https://svnweb.freebsd.org/changeset/ports/428138
>>>
>>> Log:
>>>   security/py-pycryptography: Fix build on FreeBSD 9.3
>>>   
>>>   Modern py-cryptography requires a more modern OpenSSL. This switch to
>>>   requiring OpenSSL from ports is a disruptive change, but it will protect
>>>   these users from the recently patched vulnerabilites.
>>>   
>>>   Support for OpenSSL 0.9.8 was removed in pycryptography as of version 1.4.
>>>   The last release to support OpenSSL 0.9.8 was 1.3.4 which is still
>>>   vulnerable to the HDKF key generation bug. It appears that version 1.4
>>>   did build successfully on FreeBSD 9.3, but upstream had abandoned
>>>   support for OpenSSL 0.9.8 at that point so it is unclear if it was fully
>>>   functional.
>>>   
>>>   PR:		214915
>>>   MFH:		2016Q4
>>>
>>> Modified:
>>>   head/security/py-cryptography/Makefile
>>>
>>> Modified: head/security/py-cryptography/Makefile
>>> ==============================================================================
>>> --- head/security/py-cryptography/Makefile	Thu Dec  8 17:05:45 2016	(r428137)
>>> +++ head/security/py-cryptography/Makefile	Thu Dec  8 17:07:22 2016	(r428138)
>>> @@ -27,6 +27,11 @@ USE_PYTHON=	autoplist distutils
>>>  CFLAGS+=	-I${OPENSSLINC}
>>>  LDFLAGS+=	-L${OPENSSLLIB}
>>>  
>>> +# Modern py-cyptography requires newer OpenSSL
>>> +.if ${OSVERSION} < 1000000
>>> +WITH_OPENSSL_PORT=	yes
>>> +.endif
>>> +
>> The correct fix is:
>>
>> .if ${OSVERSION} < 1000000 && ${SSL_DEFAULT:Mbase}
>> IGNORE= Needs a more recent OpenSSL
>> .endif
>>
> I was trying to avoid doing that because this means we won't have
> packages on our mirrors for 9.3-RELEASE users. :(

It is not really a choice, either you don't have a package, or you have
packages that are half linked with base openssl and half with ports
openssl, which will end up doing at best core dumps.

-- 
Mathieu Arnold


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/svn-ports-head/attachments/20161209/4e5ff036/attachment.sig>

More information about the svn-ports-head mailing list