On Tue, 12 May 2015 03:52:10 -0700 Yuri <y...@rawbw.com> wrote: > On 05/12/2015 02:25, Dr. Peter Voigt wrote: > > Therefore I conclude: > > > > - Installing binary packages with pkg does not honor the > > WITH_OPENSSL_BASE=yes switch. Is there another place to tell pkg > > to use base openssl when doing binary installations? > Binary packages are built with default choices for port options. > These choices are fixed, and don't depend on your choice of > WITH_OPENSSL_BASE=yes in ports. > Also this option WITH_OPENSSL_BASE=yes should be deprecated ASAP in > all ports, except maybe very few.
Well, thanks for clarifying. > > - If port openssl is not present on a system, any dependency to > > openssl is not detected by porttree. > > OpenSSL is an oddball, because USE_OPENSSL is interpreted in a weird > way that it tries to detect its port presence and link with it, so > standard packages are often built with base SSL which is a problem. > This has been discussed, but I am not sure of when this will be fixed. If I understand things correctly, this unavoidable mixture of base and port openssl can lead to serious problems the way as described in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=198788 This is in particular even more serious due to the API change between port openssl 1.0.1 and 1.0.2. And even worse: ASM=on is causing trouble on a lot of hardware. The initial problem in this thread of postfix not building anymore against new port openssl turned out to be caused by a more and more getting unstable system with shells and vim core dumping. A at least temporary solution was to rebuild all ports against base openssl as many others did. I also tried to downgrade port openssl with portdowngrade but I did not feel it the right way because it require some manual interaction which would have to be repeated after ever ports tree update. And of course it is no solution to stay with an older release of port openssl excluding me from security patches. > In short, as I also mentioned before, you won't be able to get rid of > OpenSSL port because some packages require it unconditionally. So the > best strategy is to use OpenSSL port for everything. You will likely > be successful if you build them yourself from ports, and fix places > where base SSL comes into play. I am getting an idea now why you're recommending to build all ports against port openssl. However, currently 1.) I cannot get a reliable list of all ports depending on openssl. I do not have port openssl installed on my system and porttree fails in this case. "make run-depends-list" would do the job, but I don't know how to batch run it against all installed ports. On the other hand I have carefully logged all steps performed when rebuilding my ports against base openssl, e.g. I am having a list of ports depending on openssl. I do not know, if this list is complete. 2.) I do not have enough knowledge to "fix" a port refusing to build against port openssl. I am not even sure, if I would safely detect all such ports. 3.) If I decide to rebuild my ports against port openssl, there is a good chance to end up with an unresponsive system as described in PR 198788, because of some (undetected) ports insisting on building against base openssl instead. 4.) I wish there could be a guideline from FreeBSD experts telling people the best strategy of handling openssl without risking an unstable system. This should also cover dependency detection. I have once migrated my main server from Linux to FreeBSD because stability and security are most important for me. This openssl thing is getting a bit annoying. One last thing in the end: While thinking and searching about openssl dependency checking I have detected that pkg can do a shared library check. I immediately checked all installed ports for missing libraries and found a stale dependency of cups-filters against port openssl. I rebuilt cups-filters against base openssl which in turn solved my initial issue: www/firefox can now be installed as a package without beeing forced to install port openssl. And moreover: This even corrects the build failure of www/firefox. I will immediately reports this to PR 199404. Thank you very much for your feedback, advice and valuable discussion. Peter _______________________________________________ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
