Bug 199106 - [stage-qa] [PATCH] New stage-qa check 'basemix': Prevents some dangerous mixing of base and port libraries
Summary: [stage-qa] [PATCH] New stage-qa check 'basemix': Prevents some dangerous mixi...
Status: Closed Not Accepted
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Ports Framework (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Port Management Team
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2015-04-02 00:04 UTC by Yuri Victorovich
Modified: 2016-04-13 11:32 UTC (History)
3 users (show)

See Also:


Attachments
patch (2.36 KB, patch)
2015-04-02 00:04 UTC, Yuri Victorovich
no flags Details | Diff
patch (2.23 KB, text/plain)
2015-04-02 00:11 UTC, Yuri Victorovich
no flags Details
patch (2.23 KB, patch)
2015-04-02 00:12 UTC, Yuri Victorovich
no flags Details | Diff
patch (2.23 KB, patch)
2015-04-02 08:09 UTC, Yuri Victorovich
no flags Details | Diff
patch (1.99 KB, patch)
2015-04-02 08:27 UTC, Yuri Victorovich
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Yuri Victorovich freebsd_committer 2015-04-02 00:04:21 UTC
Created attachment 155107 [details]
patch

This is to particularly prevent the use of OpenSSL from base by ports, which should only use openssl port.

Ports framework should first be first fixed to prevent OpenSSL from the base, then this check will serve to assure such use doesn't happen any more.

See current discussion in ports@
Comment 1 Yuri Victorovich freebsd_committer 2015-04-02 00:11:52 UTC
Created attachment 155108 [details]
patch
Comment 2 Yuri Victorovich freebsd_committer 2015-04-02 00:12:36 UTC
Created attachment 155109 [details]
patch
Comment 3 Yuri Victorovich freebsd_committer 2015-04-02 00:36:16 UTC
Option GSSAPI=BASE will always cause this check failure, so it should be removed. Ex. ftp/curl.

Banning libssl.so,libcrypto.so is sufficient to catch gssapi, because base gssapi always pulls base libssl.
Comment 4 Mathieu Arnold freebsd_committer 2015-04-02 07:33:24 UTC
If you need PKGNAME in the qa script, why don't you pass PKGNAME instead of PKGBASE-VERSION to it ?
Comment 5 Guido Falsi freebsd_committer 2015-04-02 08:01:18 UTC
(In reply to yuri from comment #3)

GSSAPI=BASE (and GSS_API=NONE) are needed at present to help avoid these conflicts in some situation (asterisk port with SRTP support, for example).

If the conflict is solved or removed GSSAPI=BASE can go away.

At present an exp-run with this QA test and WITH_OPENSSL_PORT=yes can give us a picture of how bad the situation is. We should start patching things from there.
Comment 6 Yuri Victorovich freebsd_committer 2015-04-02 08:09:27 UTC
Created attachment 155116 [details]
patch

Corrected PKGNAME, thanks.
Comment 7 Antoine Brodin freebsd_committer 2015-04-02 08:18:46 UTC
Why don't you add PKGNAME or whatever to QA_ENV?
Comment 8 Yuri Victorovich freebsd_committer 2015-04-02 08:27:05 UTC
Created attachment 155117 [details]
patch

Moved PNKNAME to QA_ENV
Comment 9 Yuri Victorovich freebsd_committer 2015-05-06 10:34:34 UTC
I believe this can be checked in as warning instead of an error first. Later, when all of them fixed, warning can be changed into an error.
Comment 10 Yuri Victorovich freebsd_committer 2015-05-11 00:06:32 UTC
Could you please commit this in the warning mode:
these lines
> err "Shared library ${so_name} from the base system should not be used by port."
> return 1
replaced with this line
> warn "Shared library ${so_name} from the base system should not be used by port."
for now?

At least, it will make it obvious which ports are still affected.
I am getting new qbittorrent version crashing in openssl on one of the systems for no apparent reason, and working on other systems.
And qbittorrent also triggers such warning.
Comment 11 Antoine Brodin freebsd_committer 2015-05-11 06:48:14 UTC
I think that this is really premature,  using openssl from base is still the default.
Comment 12 Yuri Victorovich freebsd_committer 2015-05-11 06:56:23 UTC
No way, it crashes all over the place. Look for discussion in ports@ started on Apr 1. Ask bdrewery@ if in doubt.

They tried to correct this, but didn't succeed or finish yet. I have this new qbittorrent package. When I installed the same package on 3 machines, 2 work fine, and one crashes in OpenSSL. This is when I have rebuilt it manually in ports. When I rebuild it in poudriere - all 3 of them crash. Because poudriere is more likely to link with the base OpenSSL. It is a very nasty problem.

Need to get rid of the base OpenSSL as soon as possible.
Comment 13 Mathieu Arnold freebsd_committer 2016-04-13 11:32:00 UTC
Currently being worked on https://reviews.freebsd.org/D5865