Bug 188184 - [patch] security/gnutls3: should not depend on security/openssl
Summary: [patch] security/gnutls3: should not depend on security/openssl
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Bryan Drewery
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-04-02 00:50 UTC by Lawrence Chen
Modified: 2014-04-02 02:20 UTC (History)
0 users

See Also:


Attachments
patch (2.26 KB, patch)
2014-04-02 00:50 UTC, Lawrence Chen
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Lawrence Chen 2014-04-02 00:50:00 UTC
	
	After this port was updated to 3.1.22 to address some vulnerabilities,
	I found that it wanted to install security/openssl from ports as
	a dependency.  But, installing security/openssl from ports conflicts
	with other ports on my system, I avoid ports that need this.

	Plus doesn't it seem strange that gnutls needs openssl?

Fix: The default options for dns/unbound, makes it need openssl-1.0+, which
	has become a required dependency for gnutls3.  Even though its a
	feature auto-activation in the configure script.

	The inclusion from dns/unbound is to add DNSSEC Verification support to
	DANE.  And, for the '--check' option of danetool3.

	So, I have made it an option, default to disabled, to not inconvenience
	people just needing this as an auto pkg.

	Don't know why the man page for danetool3 is omitted if
	--disable-libdane is set.
Comment 1 Edwin Groothuis freebsd_committer 2014-04-02 00:50:03 UTC
Responsible Changed
From-To: freebsd-ports-bugs->bdrewery

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 dfilter service freebsd_committer 2014-04-02 02:16:09 UTC
Author: bdrewery
Date: Wed Apr  2 01:16:02 2014
New Revision: 349899
URL: http://svnweb.freebsd.org/changeset/ports/349899
QAT: https://qat.redports.org/buildarchive/r349899/

Log:
  - Hide libdane support behind option LIBDANE
  - Disable by default as it ends up pulling in openssl via unbound, which
    is odd for gnutls3 to do.
  
  PR:		ports/188184
  Submitted by:	Lawrence "The Dreamer" Chen <beastie@tardisi.com> (based on)
  Discussed with:	wg

Modified:
  head/UPDATING
  head/security/gnutls3/Makefile
  head/security/gnutls3/pkg-plist

Modified: head/UPDATING
==============================================================================
--- head/UPDATING	Wed Apr  2 00:51:01 2014	(r349898)
+++ head/UPDATING	Wed Apr  2 01:16:02 2014	(r349899)
@@ -5,6 +5,13 @@ they are unavoidable.
 You should get into the habit of checking this file for changes each time
 you update your ports collection, before attempting any port upgrades.
 
+20140401:
+  AFFECTS: users of security/gnutls3
+  AUTHOR: bdrewery@FreeBSD.org
+
+  Libdane support is no longer enabled by default.  Rebuild the port with
+  the LIBDANE option if danetool is desired.
+
 20140331:
   AFFECTS: users of print/cups-client and print/cups-image
   AUTHOR: bsam@FreeBSD.org

Modified: head/security/gnutls3/Makefile
==============================================================================
--- head/security/gnutls3/Makefile	Wed Apr  2 00:51:01 2014	(r349898)
+++ head/security/gnutls3/Makefile	Wed Apr  2 01:16:02 2014	(r349899)
@@ -3,6 +3,7 @@
 
 PORTNAME=	gnutls
 PORTVERSION=	3.1.22
+PORTREVISION=	1
 CATEGORIES=	security net
 MASTER_SITES=	ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/
 PKGNAMESUFFIX=	${GNUTLS_SUFFIX}
@@ -15,7 +16,6 @@ LIB_DEPENDS=	libgpg-error.so:${PORTSDIR}
 		libnettle.so:${PORTSDIR}/security/nettle \
 		libp11-kit.so:${PORTSDIR}/security/p11-kit \
 		libidn.so:${PORTSDIR}/dns/libidn \
-		libunbound.so:${PORTSDIR}/dns/unbound \
 		libtspi.so:${PORTSDIR}/security/trousers
 
 GNUTLS_SUFFIX=	3
@@ -42,11 +42,14 @@ DOCSDIR=	${PREFIX}/share/doc/${PORTNAME}
 EXAMPLESDIR=	${PREFIX}/share/examples/${PORTNAME}${GNUTLS_SUFFIX}
 INFO_SUBDIR=	gnutls${GNUTLS_SUFFIX}
 
-OPTIONS_DEFINE=		CXX DOCS EXAMPLES LIBTASN1
+OPTIONS_DEFINE=		CXX DOCS EXAMPLES LIBTASN1 LIBDANE
 OPTIONS_DEFAULT=	CXX
 OPTIONS_SUB=		yes
 
 LIBTASN1_DESC=	Use libtasn1 from ports
+LIBDANE_DESC=	DNSSEC support for DANE (danetool3 --check)
+LIBDANE_LIB_DEPENDS=	libunbound.so:${PORTSDIR}/dns/unbound
+LIBDANE_CONFIGURE_OFF=	--disable-libdane
 
 CXX_CONFIGURE_ENABLE=	cxx
 

Modified: head/security/gnutls3/pkg-plist
==============================================================================
--- head/security/gnutls3/pkg-plist	Wed Apr  2 00:51:01 2014	(r349898)
+++ head/security/gnutls3/pkg-plist	Wed Apr  2 01:16:02 2014	(r349899)
@@ -12,7 +12,7 @@ bin/tpmtool3
 include/gnutls3/gnutls/abstract.h
 include/gnutls3/gnutls/compat.h
 include/gnutls3/gnutls/crypto.h
-include/gnutls3/gnutls/dane.h
+%%LIBDANE%%include/gnutls3/gnutls/dane.h
 include/gnutls3/gnutls/dtls.h
 include/gnutls3/gnutls/gnutls.h
 %%CXX%%include/gnutls3/gnutls/gnutlsxx.h
@@ -42,10 +42,10 @@ info/gnutls3/gnutls.info-3
 info/gnutls3/gnutls.info-4
 info/gnutls3/gnutls.info-5
 info/gnutls3/pkcs11-vision.png
-lib/gnutls3/libgnutls-dane.a
-lib/gnutls3/libgnutls-dane.la
-lib/gnutls3/libgnutls-dane.so
-lib/gnutls3/libgnutls-dane.so.0
+%%LIBDANE%%lib/gnutls3/libgnutls-dane.a
+%%LIBDANE%%lib/gnutls3/libgnutls-dane.la
+%%LIBDANE%%lib/gnutls3/libgnutls-dane.so
+%%LIBDANE%%lib/gnutls3/libgnutls-dane.so.0
 lib/gnutls3/libgnutls-openssl.a
 lib/gnutls3/libgnutls-openssl.la
 lib/gnutls3/libgnutls-openssl.so
@@ -63,8 +63,8 @@ lib/gnutls3/libgnutls.so.28
 %%CXX%%lib/gnutls3/libgnutlsxx.so
 %%CXX%%lib/gnutls3/libgnutlsxx.so.28
 libdata/pkgconfig/gnutls3.pc
-libdata/pkgconfig/gnutls3-dane.pc
-man/man1/danetool3.1.gz
+%%LIBDANE%%libdata/pkgconfig/gnutls3-dane.pc
+%%LIBDANE%%man/man1/danetool3.1.gz
 man/man1/certtool3.1.gz
 man/man1/gnutls-cli-debug3.1.gz
 man/man1/gnutls-cli3.1.gz
_______________________________________________
svn-ports-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-ports-all
To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
Comment 3 Bryan Drewery freebsd_committer 2014-04-02 02:16:43 UTC
State Changed
From-To: open->closed

Committed (note the LIBDANE_* helper macros I used instead). Default is 
no libdane now.