On 2018-08-19 0:25, Dewayne Geraghty wrote:
Bernard,
Given the silly way that the openssl crew have decided to name their
releases I think this is a good approach for the moment. I wonder how
they'll number an update to 1.1 :) (1.1A 1.2?) or what an update to
1.1.1 - a rod for their own back, I think it a pity the TLS folks did
not use 2.0 rather than 1.3).
I've used your wikis a great deal and have found your proactive
engagement a delight.
Yes I still build all amd64 ports with libressl. I'm considering
migration to libressl-devel because I think this will remove some
security/libressl tweak complexity. ;)
After reviewing your FOSDEM slides -
- yes there are ports that use base even when told not to, so for
libssl
| libcrtypo - I just remove them, though I do replace them with
symlinks.
- I hadn't seen this SSL_OP_SINGLE_DH_USE before. We regenerate DH on
a
daily basis in background, so for us its preferred.
- slide 17 - building without openssl creates deficient libarchive,
which is ok if you pull via curl and one of the archiver/ tar-like
files. Problematic for most users.
- thank-you for drawing my attention to this PRIVATELIB=true WOW!
Great! I'll also search ports for any use of USEPRIVATELIB so I can
remove the line ;)
- pkg is a problem. We rebuild required ports then remove all ports
(pkg delete -a), install (via tar) the key ones, then rebuild
everything. Convoluted but effective for our purposes
Excellent presentation, summary of history and references.
Kind regards, Dewayne
ps I use security/heimdal ports for all production servers, we build
1200+ ports each month - it catches a lot of mismatches. The
recommendation to use MIT for anything is unfortunate - why provide the
US the opportunity for additional sanctions :) I've found heimdal to
be
ridiculously stable in production AND predictable.
Hi Dewayne,
Thanks for your response! Waiting for some more people to chime in
before I pull any triggers.
As for libressl-devel, there's no ABI changes sofar and I haven't really
seen any benefits of using 2.8 over 2.7 sofar. Have you seen anything
specific?
Heimdal is one of the blockers for updating OpenSSL to 1.1 in base :D
Cheers, Bernard.
_______________________________________________
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
