Bug 217088

Summary: www/h2o: upgrade 2.0.4 to 2.1.0 and drop bundled libressl switch
Product: Ports & Packages Reporter: Dave Cottlehuber <dch>
Component: Individual Port(s)Assignee: Dmitry Marakasov <amdmi3>
Status: Closed FIXED    
Severity: Affects Only Me CC: ports-bugs, shun.fbsd.pr
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
v1 patch
none
v2 patch with corrected tabstops
dch: maintainer-approval+
v3 patch with a newly discovered RUBY_NO_RUN_DEPENDS
dch: maintainer-approval+
v4 patch fixes 10.3R filesystem contamination due to libressl leakage dch: maintainer-approval+

Description Dave Cottlehuber freebsd_committer freebsd_triage 2017-02-13 22:03:35 UTC 
Created attachment 179967 [details]
v1 patch

# QA

portlint & poudriere OK (11.0R amd64).

$ portlint -C
WARN: /usr/ports/www/h2o/pkg-plist: [2]: If and only if your port is DATADIR-safe (that is, a user can override DATADIR when building this port and the port will still work correctly) consider using DATADIR macro; if you are unsure if this port is DATADIR-safe, then ignore this warning
WARN: /usr/ports/www/h2o/pkg-plist: [3]: If and only if your port is DATADIR-safe (that is, a user can override DATADIR when building this port and the port will still work correctly) consider using DATADIR macro; if you are unsure if this port is DATADIR-safe, then ignore this warning
WARN: /usr/ports/www/h2o/pkg-plist: [4]: If and only if your port is DATADIR-safe (that is, a user can override DATADIR when building this port and the port will still work correctly) consider using DATADIR macro; if you are unsure if this port is DATADIR-safe, then ignore this warning
WARN: /usr/ports/www/h2o/pkg-plist: [5]: If and only if your port is DATADIR-safe (that is, a user can override DATADIR when building this port and the port will still work correctly) consider using DATADIR macro; if you are unsure if this port is DATADIR-safe, then ignore this warning
WARN: Makefile: possible use of absolute pathname "/var/log/${PORTNAME}...".
FATAL: work: be sure to cleanup the working directory before committing the port.
1 fatal error and 5 warnings found.

# changes

www/h2o: upgrade 2.0.4 to 2.1.0 and drop bundled libressl switch

- Many HTTP/2 and performance improvements
- Support latest LibreSSL and OpenSSL libraries
- Numerous bug fixes
- include CPE security info contributed via shun.fbsd.pr@dropcut.net
- drop redundant bundled libressl option as now FreeBSD 10.x supports ChaCha and Poly algorithms across all project-supported SSL variants.


Full details at https://github.com/h2o/h2o/releases/tag/v2.1.0
Comment 1 Dave Cottlehuber freebsd_committer freebsd_triage 2017-02-14 13:59:19 UTC 
Created attachment 179986 [details]
v2 patch with corrected tabstops

corrected tab stops to match ports standard
Comment 2 Dave Cottlehuber freebsd_committer freebsd_triage 2017-02-16 13:14:21 UTC 
Created attachment 180044 [details]
v3 patch with a newly discovered RUBY_NO_RUN_DEPENDS

As we only need ruby to build mruby into h2o itself, there's no need
for a runtime dependency. Browsing through /usr/ports/*.mk I found a
knob to exclude it.
Comment 3 Dmitry Marakasov freebsd_committer freebsd_triage 2017-02-21 14:15:22 UTC 
Fails to install on 10.x:

--- install-exec-am ---
make  install-exec-hook
--- install-exec-hook ---
mkdir: //etc/ssl/certs: Permission denied
*** [install-exec-hook] Error code 1
Comment 4 Dave Cottlehuber freebsd_committer freebsd_triage 2017-02-23 17:57:42 UTC 
thanks amdmi3. Can you attach poudriere or similar logs? Is this definitely from h2o build, and not from some other package? I see no mention of /certs/ in my successful poudriere run on 10.3R amd64; the only (major) difference perhaps is that my build system uses libressl.

https://pkg.skunkwerks.at/poudriere/data/10_amd64-default/2017-02-23_17h15m12s/logs/h2o-2.1.0.log
Comment 5 Dave Cottlehuber freebsd_committer freebsd_triage 2017-02-23 22:28:26 UTC 
ok found it, yes it relates to using openssl instead of libressl.
Comment 6 Wen Heping freebsd_committer freebsd_triage 2017-03-06 10:14:49 UTC 
*** Bug 215890 has been marked as a duplicate of this bug. ***
Comment 7 Dave Cottlehuber freebsd_committer freebsd_triage 2017-03-06 20:03:58 UTC 
I'm clear what the specific 10.3R issue is now:

- 10.3 comes with a version of OpenSSL in base that is too low for h2o as it
  has no ALPN support
- h2o tries to use its embedded LibreSSL which is not what we want

Fix is to ensure that on all supported FreeBSD versions, we depend on the
  user's preferred TLS library, whether Libre/Open/...
Comment 8 Dave Cottlehuber freebsd_committer freebsd_triage 2017-03-06 23:33:06 UTC 
Created attachment 180578 [details]
v4 patch fixes 10.3R filesystem contamination due to libressl leakage

# QA

- 10.3 amd64 libressl: https://pkg.skunkwerks.at/poudriere/data/10_amd64-default/2017-03-06_22h28m26s/logs/h2o-2.1.0.log
-- Found OpenSSL: /usr/local/lib/libssl.so;/usr/local/lib/libcrypto.so (found version "2.0.0") 


- 10.3 amd64 openssl: https://pkg.skunkwerks.at/poudriere/data/10_amd64-default/2017-03-06_22h24m37s/logs/h2o-2.1.0.log
-- Found OpenSSL: /usr/lib/libssl.so;/usr/lib/libcrypto.so (found version "1.0.1s") 

the other combos won't finish until tomorrow.

# patch

If you use git then https://github.com/skunkwerks/ports/commit/b662cf9.patch is probably easier to apply.
Comment 9 commit-hook freebsd_committer freebsd_triage 2017-03-17 18:39:13 UTC 
A commit references this bug:

Author: amdmi3
Date: Fri Mar 17 18:38:07 UTC 2017
New revision: 436349
URL: https://svnweb.freebsd.org/changeset/ports/436349

Log:
  - Upgrade to 2.1.0
  - Drop bundled libressl switch

  PR:		217088
  Submitted by:	dch@skunkwerks.at (maintainer)

Changes:
  head/www/h2o/Makefile
  head/www/h2o/distinfo
  head/www/h2o/files/patch-CMakeLists.txt
  head/www/h2o/files/patch-lib_core_request.c
  head/www/h2o/files/patch-lib_http2_connection.c
  head/www/h2o/pkg-plist