Bug 237487

Summary: security/py-cryptography: Fails to build with libressl 2.9.1
Product: Ports & Packages Reporter: Simeon Simeonov <sgs>
Component: Individual Port(s)Assignee: Kubilay Kocak <koobs>
Status: Closed FIXED    
Severity: Affects Some People CC: andrej, brnrd, dweimer, gahr, jakub_lach, maciej, oz42, rozhuk.im
Priority: --- Flags: koobs: maintainer-feedback+
Version: Latest   
Hardware: Any   
OS: Any   
See Also: https://github.com/pyca/cryptography/pull/4855
Attachments:
Description Flags
Build log
none
py-cryptography-libressl291.patch
none
QA'd patch none

Description Simeon Simeonov 2019-04-23 08:09:40 UTC
Created attachment 203914 [details]
Build log

After upgrading to the newest security/libressl (2.9.1), security/py-cryptography
fails to build.
Build log attached.
Comment 1 Maciej Pasternacki 2019-04-23 08:27:20 UTC
Seems related: https://github.com/pyca/cryptography/pull/4855
Comment 2 Maciej Pasternacki 2019-04-23 08:44:59 UTC
Created attachment 203915 [details]
py-cryptography-libressl291.patch

https://github.com/pyca/cryptography/pull/4855/ as a patch against ports tree, fixes py-crytpography build with LibreSSL 2.9.1
Comment 3 Pietro Cerutti freebsd_committer freebsd_triage 2019-04-23 09:50:05 UTC
I can confirm that https://github.com/pyca/cryptography/pull/4855 works fine. Thanks for taking care of this!
Comment 4 Dean E. Weimer 2019-04-23 12:39:55 UTC
(In reply to Maciej Pasternacki from comment #2)

This patch didn't work for me, received some redefinition errors.


creating build/temp.freebsd-12.0-RELEASE-p3-amd64-3.7/build/temp.freebsd-12.0-RELEASE-p3-amd64-3.7
cc -DNDEBUG -O2 -pipe -I/usr/local/include -fstack-protector -fno-strict-aliasing -fPIC -I/usr/local/include/python3.7m -c build/temp.freebsd-12.0-RELEASE-p3-amd64-3.7/_openssl.c -o build/temp.freebsd-12.0-RELEASE-p3-amd64-3.7/build/temp.freebsd-12.0-RELEASE-p3-amd64-3.7/_openssl.o -Wconversion -Wno-error=sign-conversion
build/temp.freebsd-12.0-RELEASE-p3-amd64-3.7/_openssl.c:2498:21: error: redefinition of 'DTLS_method' as different kind of symbol
const SSL_METHOD *(*DTLS_method)(void) = NULL;
                    ^
/usr/local/include/openssl/ssl.h:1474:19: note: previous definition is here
const SSL_METHOD *DTLS_method(void);            /* DTLS v1.0 or later */
                  ^
build/temp.freebsd-12.0-RELEASE-p3-amd64-3.7/_openssl.c:2499:21: error: redefinition of 'DTLS_server_method' as different kind of symbol
const SSL_METHOD *(*DTLS_server_method)(void) = NULL;
                    ^
/usr/local/include/openssl/ssl.h:1475:19: note: previous definition is here
const SSL_METHOD *DTLS_server_method(void);     /* DTLS v1.0 or later */
                  ^
build/temp.freebsd-12.0-RELEASE-p3-amd64-3.7/_openssl.c:2500:21: error: redefinition of 'DTLS_client_method' as different kind of symbol
const SSL_METHOD *(*DTLS_client_method)(void) = NULL;
                    ^
/usr/local/include/openssl/ssl.h:1476:19: note: previous definition is here
const SSL_METHOD *DTLS_client_method(void);     /* DTLS v1.0 or later */
Comment 5 Dean E. Weimer 2019-04-23 12:49:46 UTC
(In reply to Dean E. Weimer from comment #4)
never mind, patch didn't apply correctly, changes weren't applied to my ports build attempt.
Comment 6 jakub_lach 2019-04-24 22:25:39 UTC
Patch works, thanks!
Comment 7 Pietro Cerutti freebsd_committer freebsd_triage 2019-04-25 12:04:34 UTC
The patch works for all combinations of (i386, amd64) and (base, openssl, openssl111, libressl):

https://people.freebsd.org/~gahr/py36-cryptography-logs/
Comment 8 Kubilay Kocak freebsd_committer freebsd_triage 2019-04-25 12:18:46 UTC
(In reply to Pietro Cerutti from comment #7)

Patch applies cleanly, but then I get the following at patch stage:

===>  Applying FreeBSD patches for py27-cryptography-2.6.1
1 out of 1 hunks failed--saving rejects to src/_cffi_src/openssl/cryptography.py.rej
=> FreeBSD patch patch-src___cffi__src_openssl_cryptography.py failed to apply cleanly.
*** Error code 1

@Maciej Was the patch backported against the current version (2.6.1) ?
Comment 9 Pietro Cerutti freebsd_committer freebsd_triage 2019-04-25 12:38:06 UTC
Here's the version I used.
https://people.freebsd.org/~gahr/py36-cryptography-logs/patch-libressl-1.9.1.txt
Comment 10 Kubilay Kocak freebsd_committer freebsd_triage 2019-04-25 12:58:46 UTC
(In reply to Pietro Cerutti from comment #9)

Could you include it as an attachment here please, and is your version of the patch the one that was QA'd with base/openssl/openssl111/libressl{11,12} ?
Comment 11 Pietro Cerutti freebsd_committer freebsd_triage 2019-04-25 13:03:41 UTC
Created attachment 204005 [details]
QA'd patch
Comment 12 Pietro Cerutti freebsd_committer freebsd_triage 2019-04-25 13:05:08 UTC
(In reply to Kubilay Kocak from comment #10)
Yes - I uploaded directly from my ports tree
Comment 13 Maciej Pasternacki 2019-04-25 13:29:11 UTC
The patch I attached was generated against PORTVERSION 2.6.1 (master branch of https://github.com/freebsd/freebsd-ports which tracks SVN HEAD; there were no commits in security/py-cryptography after I made the patch).

In case I generated it the wrong way: I ran `make extract`, applied patches manually in work dir, ran `make makepatch`, committed generated `files/patch-*` into my private git repo. The attached patch is diff of the resulting commit.

I just checked that `make clean patch` works with both py27 and py37 flavors (and poudriere doesn't complain either). I'm running CURRENT (r346149 at the moment), so version of patch/diff might be slightly different than RELEASE/STABLE.

I can regenerate the patches if needed, but Pietro's version has received more extensive QA.
Comment 14 Kubilay Kocak freebsd_committer freebsd_triage 2019-04-25 13:32:53 UTC
Thank you both for following up, I'll test Pietro's patch and report back
Comment 15 commit-hook freebsd_committer freebsd_triage 2019-04-26 05:13:40 UTC
A commit references this bug:

Author: koobs
Date: Fri Apr 26 05:13:27 UTC 2019
New revision: 500082
URL: https://svnweb.freebsd.org/changeset/ports/500082

Log:
  security/py-cryptography: Fix build with libressl 2.9.1

  Backport upstream pull request #4855 by Charlie Li <ml+freebsd vishwin info>

  PR:		237487
  Submitted by:	Maciej Pasternacki <maciej pasternacki. net> (v1)
  Submitted by:	gahr (v2)
  Reported by:	Simeon Simeonov <sgs pichove org>
  Obtained from:	https://github.com/pyca/cryptography/pull/4855
  Tested by:	gahr (all USES=ssl versions), many

Changes:
  head/security/py-cryptography/files/
  head/security/py-cryptography/files/patch-PR4855
Comment 16 Kubilay Kocak freebsd_committer freebsd_triage 2019-04-26 05:15:35 UTC
Committed, with minor changes (added patch comments).

Thank you everyone for the quality of the report, upstream resolution, testing and confirmation of resolution.