Created attachment 255126 [details] net-im/gurk-rs 0.5.2 The attached patch updates net-im/gurk-rs to version 0.5.2.
Hi, I started working on updating it to the latest version but ended up without free time. Thank you for the patch! Tested and it works.
This port seems to bundle OpenSSL: $ cd net-im/gurk-rs && make /!\ gurk-rs-0.5.2: Makefile warnings, please consider fixing /!\ Please make sure this port uses the system OpenSSL and consider removing CARGO_CRATES=openssl-src-300.3.1+3.3.1 (a vendored copy of OpenSSL) from the build, e.g., by patching Cargo.toml appropriately. We do not want rust ports to bundle OpenSSL as that is a potentially severe security issue. Please check and patch as indicated. Most likely, there is an option to use system OpenSSL over the bundled one.
Port builds fine on arm64 FreeBSD 15-CURRENT. Also bundled is sqlite3, check if you can make it use databases/sqlite3 instead. If you find any other bundled libraries, check if you can unbundle them. Unlike for OpenSSL, this is not a hard requirement though.
???? I have no idea. $ grep -R openssl-src-300 */*/Makefile.crates devel/cargo-c/Makefile.crates: openssl-src-300.3.2+3.3.2 \ devel/cargo-generate/Makefile.crates: openssl-src-300.2.3+3.2.1 \ devel/jujutsu/Makefile.crates: openssl-src-300.3.2+3.3.2 \ net-p2p/oura/Makefile.crates: openssl-src-300.2.1+3.2.0 \ net/s3m/Makefile.crates: openssl-src-300.3.1+3.3.1 \ security/arti/Makefile.crates: openssl-src-300.4.0+3.4.0 \ security/vaultwarden/Makefile.crates: openssl-src-300.4.0+3.4.0 \ shells/sheldon/Makefile.crates: openssl-src-300.3.1+3.3.1 \ textproc/quickwit/Makefile.crates: openssl-src-300.2.3+3.2.1 \ textproc/typst/Makefile.crates: openssl-src-300.3.2+3.3.2 \ www/hurl/Makefile.crates: openssl-src-300.3.1+3.3.1 \ x11/wezterm/Makefile.crates: openssl-src-300.2.1+3.2.0 \ $ grep -R sqlite3 */*/Makefile.crates audio/gnome-podcasts/Makefile.crates: libsqlite3-sys-0.26.0 \ audio/shortwave/Makefile.crates: libsqlite3-sys-0.22.2 \ devel/cargo-c/Makefile.crates: libsqlite3-sys-0.30.1 \ devel/radicle/Makefile.crates: sqlite3-src-0.5.1 \ devel/radicle/Makefile.crates: sqlite3-sys-0.15.2 \ games/anki/Makefile.crates: libsqlite3-sys-0.27.0 \ games/veloren-weekly/Makefile.crates: libsqlite3-sys-0.28.0 \ misc/broot/Makefile.crates: libsqlite3-sys-0.20.1 \ net-im/conduit/Makefile.crates: libsqlite3-sys-0.28.0 \ net-im/gurk-rs/Makefile.crates: libsqlite3-sys-0.30.1 \ net-im/iamb/Makefile.crates: libsqlite3-sys-0.27.0 \ net-p2p/cncli/Makefile.crates: libsqlite3-sys-0.27.0 \ net/rustdesk-server/Makefile.crates: libsqlite3-sys-0.24.2 \ security/arti/Makefile.crates: libsqlite3-sys-0.30.1 \ security/authenticator/Makefile.crates: libsqlite3-sys-0.26.0 \ security/sequoia-sq/Makefile.crates: libsqlite3-sys-0.28.0 \ security/vaultwarden/Makefile.crates: libsqlite3-sys-0.30.1 \ sysutils/bupstash/Makefile.crates: libsqlite3-sys-0.22.2 \ textproc/quickwit/Makefile.crates: libsqlite3-sys-0.27.0 \ www/deno/Makefile.crates: libsqlite3-sys-0.30.0 \ www/garage/Makefile.crates: libsqlite3-sys-0.28.0 \ www/sqlpage/Makefile.crates: libsqlite3-sys-0.30.1 \ x11/wezterm/Makefile.crates: libsqlite3-sys-0.24.2 \
(In reply to Herbert J. Skuhra from comment #4) Yes, this is not the only port that bundles openssl-src, as committers some times forget to check. Really, this should be systematically fixed. See e.g. devel/gitui for how to patch this dependency out.
Maybe exporting OPENSSL_NO_VENDOR=true is all we need? https://docs.rs/openssl/latest/openssl/#manual
(In reply to Herbert J. Skuhra from comment #6) It is possible. If you set DEVELOPER=yes in /etc/make.conf, you'll see these warnings. So try to add that, remove the openssl-src crates, do a test build, and if the warning disappeared, it's probably fine.
(In reply to Robert Clausecker from comment #7) OK, that doesn't work. I think the problem is line 52 in Cargo.toml: libsqlite3-sys = { version = "0.30.1", features = ["bundled-sqlcipher-vendored-openssl"] } I can add ssl to USES and replace bundled-sqlcipher-vendored-openssl with bundled-sqlcipher. Or I can replace bundled-sqlcipher-vendored-openssl with sqlcipher. Then I guess I have to add databases/sqlicipher to BUILD_DEPENDS. Still testing. Maybe the maintainer has a better solution?
(In reply to Herbert J. Skuhra from comment #8) > Or I can replace bundled-sqlcipher-vendored-openssl with sqlcipher. Then I guess I have to add databases/sqlicipher to BUILD_DEPENDS. That is probably the best solution. Unbundle everything that can be unbundled.
No response, returning to pool. If you provide an updated patch, I can take up the patch again and commit it.
gurk-rs 0.6.0 is out and I've decided to try again. Building gurk-rs with databases/sqlcipher on FreeBSD fails because the port (sqlcipher) is built without "-DSQLITE_ENABLE_COLUMN_METADATA=1" resulting in missing symbols (e.g.: sqlite3_column_table_name). With the below patch I can build gurk-rs: diff --git a/databases/sqlcipher/Makefile b/databases/sqlcipher/Makefile index d83f369394dd..73ec34cf22f8 100644 --- a/databases/sqlcipher/Makefile +++ b/databases/sqlcipher/Makefile @@ -17,7 +17,7 @@ USE_GITHUB= yes GNU_CONFIGURE= yes CONFIGURE_ARGS+=--enable-tempstore=yes --disable-tcl --disable-readline -CPPFLAGS+= -DSQLITE_HAS_CODEC +CPPFLAGS+= -DSQLITE_HAS_CODEC -DSQLITE_ENABLE_COLUMN_METADATA=1 LDFLAGS+= -L${LOCALBASE}/lib -L${OPENSSLLIB} CFLAGS+= -I${LOCALBASE}/include -I${OPENSSLINC} (Maybe more changes to databases/sqlcipher are useful - see e.g. https://gitlab.archlinux.org/archlinux/packaging/packages/sqlcipher/-/blob/main/PKGBUILD?ref_type=heads) I'll update the patch of this PR soon.
(In reply to Herbert J. Skuhra from comment #11) That sounds great! I have CC'ed the maintainer and last committer to touch databases/sqlcipher so they can look into updating the port to set that option. If you don't receive a response, I recommend that you file a bug report with the desired patch to go through the official channel. As long as that is not done, it's ok for you to bundle this dependency. Did you figure out how to unbundle OpenSSL?
My bad. Too many open terminals and I was building in the wrong directory. gurk-rs also needs sqlite3_unlock_notify (-DSQLITE_ENABLE_UNLOCK_NOTIFY) so I had to rebuild database/sqlcipher with the following patch instead: diff --git a/databases/sqlcipher/Makefile b/databases/sqlcipher/Makefile index d83f369394dd..1f7a46105c83 100644 --- a/databases/sqlcipher/Makefile +++ b/databases/sqlcipher/Makefile @@ -17,7 +17,8 @@ USE_GITHUB= yes GNU_CONFIGURE= yes CONFIGURE_ARGS+=--enable-tempstore=yes --disable-tcl --disable-readline -CPPFLAGS+= -DSQLITE_HAS_CODEC +CPPFLAGS+= -DSQLITE_HAS_CODEC -DSQLITE_ENABLE_COLUMN_METADATA=1 \ + -DSQLITE_ENABLE_UNLOCK_NOTIFY LDFLAGS+= -L${LOCALBASE}/lib -L${OPENSSLLIB} CFLAGS+= -I${LOCALBASE}/include -I${OPENSSLINC} I think to unbundle openssl the follow change in Cargo.toml is sufficient: libsqlite3-sys = { version = "0.30.1", features = [ - "bundled-sqlcipher-vendored-openssl", + "sqlcipher", ] } (and I also removed openssl-(src|sys) from Cargo.lock.) But I am still not sure if sqlcipher is actually working. More testing.
Any progress on this one? I recommend that you file a bug report against sqlcipher to have the desired options added. Add this bug as a dependency to the sqlcipher bug you file.
Update committed, thanks!
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=df9e8c4df0405a444daa38972ac2bc462082d7f9 commit df9e8c4df0405a444daa38972ac2bc462082d7f9 Author: Yuri Victorovich <yuri@FreeBSD.org> AuthorDate: 2025-01-12 10:02:41 +0000 Commit: Yuri Victorovich <yuri@FreeBSD.org> CommitDate: 2025-01-12 10:05:41 +0000 net-im/gurk-rs: update 0.4.1 → 0.6.0 PR: 282716 Submitted by: Herbert J. Skuhra <herbert@gojira.at> (initial version) Approved by: bsd@orsolic.org (maintainer) net-im/gurk-rs/Makefile | 10 +- net-im/gurk-rs/Makefile.crates | 890 ++++++------ net-im/gurk-rs/distinfo | 1778 ++++++++++++----------- net-im/gurk-rs/files/patch-Cargo.toml (new) | 8 + net-im/gurk-rs/files/patch-gurk-rs-curve (gone) | 8 - net-im/gurk-rs/files/patch-rust-1.80.0 (gone) | 25 - 6 files changed, 1457 insertions(+), 1262 deletions(-)
(In reply to Yuri Victorovich from comment #15) Yuri, please read the comments before you push the update. This port has OpenSSL bundled, which is a huge security risk. This must be fixed. Dear submitter, please continue working on unbundling OpenSSL. Yuri committing your patch does not mean that it's okay to have OpenSSL bundled.