Bug 256140

Summary: security/p5-Crypt-SSLeay dependency to p5-LWP-Protocol-https
Product: Ports & Packages Reporter: Gert Doering <gert>
Component: Individual Port(s)Assignee: freebsd-perl (Nobody) <perl>
Status: New ---    
Severity: Affects Some People Flags: bugzilla: maintainer-feedback? (perl)
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   

Description Gert Doering 2021-05-25 06:38:43 UTC

upgrading ports/pkgs, and noted this:

New packages to be INSTALLED:
        p5-Authen-NTLM: 1.09_1
        p5-Crypt-SSLeay: 0.72_3
        p5-File-Listing: 6.14
        p5-HTTP-Cookies: 6.10
        p5-HTTP-Negotiate: 6.01_1
        p5-LWP-Protocol-https: 6.10
        p5-Net-HTTP: 6.21
        p5-Try-Tiny: 0.30
        p5-WWW-RobotRules: 6.02_1
        p5-libwww: 6.54

Installed packages to be UPGRADED:
        p5-DBD-mysql: 4.050 -> 4.050_1

so, upgrading p5-DBD-mysql brings in 10 new packages that are not needed otherwise on the system.  I try to keep my systems as clean as possible, so if this happens I try to find out why.

The change in p5-DBD-mysql is to enable SSL by default, which activates a dependency to p5-Crypt-SSLeay - so far, ok.

Now, why does the rest happen?

p5-Crypt-SSLeay has

BUILD_DEPENDS=  p5-LWP-Protocol-https>=6.02:www/p5-LWP-Protocol-https \
                p5-Path-Class>=0.26:devel/p5-Path-Class \
RUN_DEPENDS=    p5-LWP-Protocol-https>=6.02:www/p5-LWP-Protocol-https

which I find surprising - p5-Crypt-SSLeay used to be a dependency of LWP::Protocol::https, not "the other way round".

I tried to find a reason in the code ("grep -R ^use work") but as far as I could see it only mentions LWP::UserAgent in the documentation, and even mentions that one does not need Crypt::SSLeay anymore(!) to get https support in LWP - because it was unbundled to LWP::Protocol::https (as a replacement, not dependency).

I tried to remove the DEPENDS setting, and it seems to build and test same way as with the dependency...

Long story short - can you please check whether this BUILD_DEPENDS/RUN_DEPENDS to p5-LWP-Protocol-https is needed anymore?