Re: base components should always be default (Re: change in default openssl coming)
On 08/07/2016 23:59, Kevin Oberman wrote: On Fri, Jul 8, 2016 at 12:20 PM, Grzegorz Junka wrote: On 08/07/2016 16:29, Mikhail T. wrote: On 08.07.2016 02:26, Mathieu Arnold wrote: During this summer (sometime in August I think) I will be changing the default OpenSSL for the ports tree from the base system version to security/openssl. The short answer is "Why?!" The longer reaction is: "please don't". Certainly not without a lengthy and exhaustive discussion (or flame-war, if you will), which shall arrive at a consensus -- and, if it does not, then no change shall happen. Generally, we should be eating our own dog-food -- using base-provided components for everything by default where at all possible. If the base OpenSSL is in some way(s) deficient, well, that's an argument for updating the base. The base comes with not just the libraries, but withe accompanying header-files -- meaning, the developers are free to use those libraries. So the ports certainly should be doing just that. The only reason I heard why base isn't updated with the proper package from ports is because of security implications. Older versions are more security-tested and therefore safer. If there is a vulnerability in the base it's much more hassle to update the base than ports. I don't have my opinion and sometimes it's annoying to not be able to use the base version, but putting everything into base is certainly an option if only the process of updating the base was light and quick enough. Is it like that now? Maybe with the incoming release cycle from FreeBSD-11? Not really, though it is an issue. The issue with OpenSSL (and other contributed code that is also part of ports) is that that the base is limited to being updated with major releases if ABI changes are involved. This keeps base well behind the current release and ports often require the newer version in ports. It also means Building some ports with the base system and some with the ports version leads to a chaotic situation where one library is linked to the port shareable and another to the base one. Then another port links to both of those libraries and that makes it non-runnable as rtld won't load an image if it requires two different versions of shareable. Very awkward to clean up this mess. I know, having had to do so a couple of times. Is anyone familiar how source-based Linux distros deal with this issue, e.g. Gentoo? For me the most sane approach would be if pkg/ports didn't allow to install packages that mix versions of the same applications: - if there is a newer version installed from ports and one tries to install a package that depends on an older version from base, the base version is replaced with the ports version and the dependent ports re-installed (depending on options), or the operation is aborted. Would it be worth considering building two versions of ports, one dependent on other ports and one dependent on base? They could have different version suffixes and the build system could make packages to depend on one version or another. Those who build their ports could choose one option or the other as the default to only build one version. Grzegorz ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: base components should always be default (Re: change in default openssl coming)
On 7/8/16 12:20, Grzegorz Junka wrote: > > The only reason I heard why base isn't updated with the proper package > from ports is because of security implications. Older versions are more > security-tested and therefore safer. If there is a vulnerability in the > base it's much more hassle to update the base than ports. Not necessarily safer -- for instance on FreeBSD 9.x the base system OpenSSL is EoL'ed by upstream, and therefore the security fixes are backported by secteam@ in a case-by-case manner. Generally speaking, newer code is safer and supports newer standards, and we recommend ALL users who are still on FreeBSD 9.x to use port version of OpenSSL. The only possible problem with defaulting to port OpenSSL that I can think of is some DLL hell style issue. If a base system library links against OpenSSL, then gets linked into port binary which links to port OpenSSL, we may see problems. For instance, some utilities depends on libarchive, libarchive depends on libcrypto (OpenSSL). If it loads a OpenLDAP client (i.e. through a NSS module), that depends on port version of libcrypto, there _may_ be problems. Cheers, signature.asc Description: OpenPGP digital signature
Re: base components should always be default (Re: change in default openssl coming)
On Fri, 8 Jul 2016, Mikhail T. wrote: On 08.07.2016 02:26, Mathieu Arnold wrote: During this summer (sometime in August I think) I will be changing the default OpenSSL for the ports tree from the base system version to security/openssl. The short answer is "Why?!" The longer reaction is: "please don't". Why openssl is a part of base system at all? ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: base components should always be default (Re: change in default openssl coming)
Xin Li wrote: On 7/8/16 12:20, Grzegorz Junka wrote: The only reason I heard why base isn't updated with the proper package from ports is because of security implications. Older versions are more security-tested and therefore safer. If there is a vulnerability in the base it's much more hassle to update the base than ports. Not necessarily safer -- for instance on FreeBSD 9.x the base system OpenSSL is EoL'ed by upstream, and therefore the security fixes are backported by secteam@ in a case-by-case manner. Generally speaking, newer code is safer and supports newer standards, and we recommend ALL users who are still on FreeBSD 9.x to use port version of OpenSSL. Did that a long time ago when I realised how FreeBSD actually supports the people using it instead of the developers.. not that it worries me now, shortly I won't have any FreeBSD hosts. -- Michelle Sullivan http://www.mhix.org/ ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
FreeBSD ports you maintain which are out of date
Dear port maintainer, The portscout new distfile checker has detected that one or more of your ports appears to be out of date. Please take the opportunity to check each of the ports listed below, and if possible and appropriate, submit/commit an update. If any ports have already been updated, you can safely ignore the entry. You will not be e-mailed again for any of the port/version combinations below. Full details can be found at the following URL: http://portscout.freebsd.org/po...@freebsd.org.html Port| Current version | New version +-+ audio/cplay | 1.49| 1.50 +-+ math/giacxcas | 1.2.2-57| 1.2.2-71 +-+ misc/mtail | 1.1.1 | 1.2.0 +-+ If any of the above results are invalid, please check the following page for details on how to improve portscout's detection and selection of distfiles on a per-port basis: http://portscout.freebsd.org/info/portscout-portconfig.txt Thanks. ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: base components should always be default (Re: change in default openssl coming)
On Sat, 9 Jul 2016 10:32:35 +0200, Wojciech Puchar stated: >Why openssl is a part of base system at all? Interesting question. Perl was removed from the base system years ago with no ill affects. -- Carmel ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: base components should always be default (Re: change in default openssl coming)
Gerard Seibert wrote: On Sat, 9 Jul 2016 10:32:35 +0200, Wojciech Puchar stated: Why openssl is a part of base system at all? Interesting question. Perl was removed from the base system years ago with no ill affects. ssh ...? (and maybe the up and coming systemd ..! :P (joking)) -- Michelle Sullivan http://www.mhix.org/ ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: base components should always be default (Re: change in default openssl coming)
On 07/09/16 12:19, Gerard Seibert wrote: > On Sat, 9 Jul 2016 10:32:35 +0200, Wojciech Puchar stated: > >> Why openssl is a part of base system at all? > > Interesting question. Perl was removed from the base system years ago > with no ill affects. > There's a kerberos implementation in base which requires OpenSSL. libfetch and fetch also require it to access the https sites I can imagine. svnlite also links to it. (needed for svn+https://) Most probably also other parts I'm not thinking about. Completely removing OpenSSL from base requires replacing it with some other SSL implementation, or removing a lot of other goodies which interface themselves with the external world from base. With this change it could be possible to make the base bundled OpenSSL (or equivalent) a private library never seen by ports (with the exception of pkg, which also needs it and cannot depend on another port), which is as near as you can get to removing it. Such a change would make it easier to update or change it, since it's not an exposed API/ABI anymore at that point and so not restricted from change. -- Guido Falsi ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: Maintaining mono/.net
Dear all, I finally could manage to sync my local mess into some "shipable form" and updated the bsd-sharp github repository with current WIP: https://github.com/smortex/bsd-sharp My main issue is devel/newtonsoft-json which fails to build. I could not manage to get more time to search for the root cause of the build failure during the last couple of weeks :-( If someone has insights or a workaround, thank you for sharing ! Regards, Romain -- Romain Tartière http://people.FreeBSD.org/~romain/ pgp: 8234 9A78 E7C0 B807 0B59 80FF BA4D 1D95 5112 336F (ID: 0x5112336F) (plain text =non-HTML= PGP/GPG encrypted/signed e-mail much appreciated) signature.asc Description: PGP signature
Re: Maintaining mono/.net
On 28/06/2016 4:06 AM, Russell Haley wrote: > Hello Ports Team, > > A couple of us on the freebsd-mono@ mailing list are having a > discussion on how best to maintain the mono ports/.net ports. One of > the things that has come up is maintaining the patches for "all this > stuff". The current paradigm in FreeBSD as I understand it is to use > the files directory and apply the patches to the port via svn/ports > tree. However, with the ubiquity of GitHub in opensource, it now seems > to be feesable to simply create a Github accound to maintain a bunch > of forked repositories (which is essentially a patched git > repository!). This makes it easier to create and apply patches and > gives us the natural path to push things back upstream. In the end, we > would just pull from the FreeBSD specific repository, which is no > different than, say, pulling from the mono project directly. > > This email is a request for response from anyone on the ports team (or > FreeBSD general) to give some input as to the acceptability of this > solution, as well as any "gotchas" we haven't thought of yet. Thanks > in advance! > > > Russ Hi Russ, If all the things can't eventually end up upstream, and even if they ultimately could, there's no issues with your own github repository to maintain a 'freebsd branch'. We have other teams/projects doing just that, such as freebsd-ports-gnome, freebsd-ports-graphics among others. I'll go one beyond that and say I'd (as a part of Git Admin) be happy to create a repository under the official freebsd organisation for you, perhaps named "freebsd-ports-mon"o or similar, with the members of 'team mono' added as writers. Hit me up off-list (cc git-admin@) to discuss further -- Regards, Kubilay Git Admin ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: base components should always be default (Re: change in default openssl coming)
El 9 jul. 2016 10:33 a. m., "Wojciech Puchar" escribió: > > > > On Fri, 8 Jul 2016, Mikhail T. wrote: > >> On 08.07.2016 02:26, Mathieu Arnold wrote: >>> >>> During this summer (sometime in August I think) I will be changing the default OpenSSL for the ports tree from the base system version to security/openssl. >> >> The short answer is "Why?!" The longer reaction is: "please don't". >> > Why openssl is a part of base system at all? > Maybe we can also ask: why is pkg not? ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: base components should always be default (Re: change in default openssl coming)
On 07/09/16 14:36, Fernando Herrero Carrón wrote: > El 9 jul. 2016 10:33 a. m., "Wojciech Puchar" escribió: >> >> >> >> On Fri, 8 Jul 2016, Mikhail T. wrote: >> >>> On 08.07.2016 02:26, Mathieu Arnold wrote: During this summer (sometime in August I think) I will be changing the > default OpenSSL for the ports tree from the base system version to > security/openssl. >>> >>> The short answer is "Why?!" The longer reaction is: "please don't". >>> >> Why openssl is a part of base system at all? >> > > Maybe we can also ask: why is pkg not? This has been answered various times. I can't speak for the maintainers of pkg, but an answer to this question was already posted in this same thread: https://lists.freebsd.org/pipermail/freebsd-ports/2016-July/103886.html (second bullet in the list) If you look in the mailing list archives you will find more replies on the same tome. -- Guido Falsi ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Can someone take a look at these PRs?
All with no maintainer response after > 14 days. Add missing dependency to devel/gradle: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208471 which will help unbreak the build of java/openjfx8-devel: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208470 And one for audio/portaudio which installs libtool wrapper scripts instead of actual binaries: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=210455 ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: base components should always be default (Re: change in default openssl coming)
Le sam 9 jul 16 à 12:49:53 +0200, Guido Falsi écrivait : > Completely removing OpenSSL from base requires replacing it with some > other SSL implementation, or removing a lot of other goodies which > interface themselves with the external world from base. Well, anyway, we are going to a packaged base, so this question won't be a problem. -- Th. Thomas. pgp6LokvfQTQq.pgp Description: PGP signature
Re: base components should always be default (Re: change in default openssl coming)
El 9 jul. 2016 3:13 p. m., "Guido Falsi" escribió: > > On 07/09/16 14:36, Fernando Herrero Carrón wrote: > > El 9 jul. 2016 10:33 a. m., "Wojciech Puchar" escribió: > >> > >> > >> > >> On Fri, 8 Jul 2016, Mikhail T. wrote: > >> > >>> On 08.07.2016 02:26, Mathieu Arnold wrote: > > During this summer (sometime in August I think) I will be changing the > > default OpenSSL for the ports tree from the base system version to > > security/openssl. > >>> > >>> The short answer is "Why?!" The longer reaction is: "please don't". > >>> > >> Why openssl is a part of base system at all? > >> > > > > Maybe we can also ask: why is pkg not? > > This has been answered various times. I can't speak for the maintainers > of pkg, but an answer to this question was already posted in this same > thread: > > https://lists.freebsd.org/pipermail/freebsd-ports/2016-July/103886.html > > (second bullet in the list) > > If you look in the mailing list archives you will find more replies on > the same tome. Oh, sorry, I just wrote at first thought without googling much. Thanks for the pointers, though, I will have a look at them. Best, Fernando ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: base components should always be default (Re: change in default openssl coming)
On 07/09/16 19:31, Thierry Thomas wrote: > Le sam 9 jul 16 à 12:49:53 +0200, Guido Falsi > écrivait : > >> Completely removing OpenSSL from base requires replacing it with some >> other SSL implementation, or removing a lot of other goodies which >> interface themselves with the external world from base. > > Well, anyway, we are going to a packaged base, so this question won't be > a problem. > Yes and no. Each user can choose to not install openssl parts and other base packages depending on it. They can already do that anyway, there are a lot of "WITHOUT" knobs, there's also WITHOUT_OPENSSL. Only real difference is at present it has to be done compiling from source, with packages it could be done by picking packages. But that option will not change the basic problem of how the OS is developed. FreeBSD base will anyway include OpenSSL even though users can choose(and have been able to for a long while) too not install it. -- Guido Falsi ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: Can someone take a look at these PRs?
Hi! > Add missing dependency to devel/gradle: > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208471 Done. > which will help unbreak the build of java/openjfx8-devel: > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208470 testbuilds@work. > And one for audio/portaudio which installs libtool wrapper scripts > instead of actual binaries: > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=210455 Done. -- p...@opsec.eu+49 171 3101372 4 years to go ! ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: base components should always be default (Re: change in default openssl coming)
Le sam 9 jul 16 à 20:35:59 +0200, Guido Falsi écrivait : > But that option will not change the basic problem of how the OS is > developed. FreeBSD base will anyway include OpenSSL even though users > can choose(and have been able to for a long while) too not install it. But with a packaged base, OpenSSL from base and OpenSSL from ports could be merged. -- Th. Thomas. pgpAOhJZuNkjS.pgp Description: PGP signature
Re: base components should always be default (Re: change in default openssl coming)
On 07/09/16 22:40, Thierry Thomas wrote: > Le sam 9 jul 16 à 20:35:59 +0200, Guido Falsi > écrivait : > >> But that option will not change the basic problem of how the OS is >> developed. FreeBSD base will anyway include OpenSSL even though users >> can choose(and have been able to for a long while) too not install it. > > But with a packaged base, OpenSSL from base and OpenSSL from ports could > be merged. > Don't think that's an option. Having base depend on a port which can change below it would be a major cause of instability. Also the port's OpenSSL could change API/ABI at any time, while base software cannot follow such a schedule. Base software requires a stable API, and needs to be tested each time the library below it changes. I think the only viable solution to this is making base OpenSSL a private library not exposed externally (like other libraries in base) so it is decoupled. As I said this would remove the need for stability of the exposed ABI/API allowing base to update it whenever it's needed, and also migrating to another implementation if that's what developers choose to do. This is also complicated by ports having mixed requirements. Certain ported software depends on the latest and greatest SSL library, others depend on older APIs, so ports have to cater for these needs too, which are in sharp contrast with base ones. I agree that packages base anyway helps with making openssl private. The point is, ports have a need to allow for linking with a vast array of SSL libraries (two versions of OpenSSL and the various LibreSSL PolarSSL and others), base needs a stable one with tested compatibility at each slightest change. -- Guido Falsi ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: base components should always be default (Re: change in default openssl coming)
This discussion has now been going on for a while. Several times the question "Why should be do this?" has been asked and answered, but I want to know why it is desirable to have ports use the base OpenSSL. Other than the time and disk space required to install the OpenSSL package, I fail to see the point. There are clear advantages to making the base library private to the base system but I have seen no real, significant reason to use the base library. In particular, I have seen no basis for the rather strongly worded subject of this fork of the original post.Why should "base components should always be default"? It would be nice if a response or two could be technically supportable, but that might be asking a bit too much. The initial post to this was mostly "because I like it this way" and was lacking in technical basis. Kevin Oberman, Part time kid herder and retired Network Engineer E-mail: rkober...@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
