Created attachment 176044 [details] v1 LibreSSL is currently ABI-incompatible with OpenSSL. One way to bypass ABI is to not rely on it by using a static library. This is an example how to bundle such a library.
Created attachment 176045 [details] 9.3R i386 |poudriere bulk -t| log (XZ compressed)
Actually, PORTREVISION bump is unnecessary because: - package(s) for this port are not currently built on the cluster - statu quo is preserved for DEFAULT_VERSIONS = ssl=libressl
$ fgrep -H 'checking for tls_config_set_ca_mem' /poudriere/data/logs/bulk/*-default/latest/logs/openntpd-6.0p1_2,2.log /poudriere/data/logs/bulk/101i386-default/latest/logs/openntpd-6.0p1_2,2.log:checking for tls_config_set_ca_mem... yes /poudriere/data/logs/bulk/103amd64-default/latest/logs/openntpd-6.0p1_2,2.log:checking for tls_config_set_ca_mem... yes /poudriere/data/logs/bulk/110i386-default/latest/logs/openntpd-6.0p1_2,2.log:checking for tls_config_set_ca_mem... yes /poudriere/data/logs/bulk/93amd64-default/latest/logs/openntpd-6.0p1_2,2.log:checking for tls_config_set_ca_mem... yes /poudriere/data/logs/bulk/93i386-default/latest/logs/openntpd-6.0p1_2,2.log:checking for tls_config_set_ca_mem... yes
I already considered this approach, but linking statically means that when there is an update to libressl, the installed openntpd will not pick up the fixed library and continue to use the old code. For this to work, the libressl maintainer would have to check the tree for such constructs and bump the PORTREVISION of all affected ports whenever there is an update to libressl.
security/acme-client already has a hack that requires just as much care on security/libressl updates. Also, the following isn't complicated: $ fgrep -lr --include='Makefile*' :security/libressl ${PORTSDIR=/usr/ports} | sed 's,/Makefile,,' | xargs ${PORTSDIR}/Tools/scripts/bump-revision.sh If security/libressl provided a non-conflicting shared library the maintainer would still have to do the same every time ABI (or .so.X+1) changes. Looking at the history of updates this happens often (e.g. ports r414560, ports r420102) but not every time. devel/abi-compliance-checker can be used if trust in upstream drops.
A commit references this bug: Author: naddy Date: Fri Oct 28 20:38:17 UTC 2016 New revision: 424884 URL: https://svnweb.freebsd.org/changeset/ports/424884 Log: Unblock the package build via static libressl. Adapted from [1]. OpenNTPD requires libtls, which is only available from LibreSSL. If LibreSSL is not the default SSL library, link with a static copy of the LibreSSL libraries. This approach has the drawback that whenever there is an update to libressl, the openntpd port will require a PORTREVISION bump, otherwise it will not pick up the fixed library and continue to use the old code. Drop the RESSL option as LibreSSL is now always available. PR: 213691 [1] Submitted by: jbeich Changes: head/net/openntpd/Makefile
Thank you, I committed a tweaked version of this. We'll see how it goes.
How does one build openntpd without SSL support now? I have an openssl port and will still like to continue using openntpd as before with (RSSL disabled).
(In reply to blackmore from comment #8) One doesn't. What problem are you trying to solve? There will be no conflict with the openssl port you have installed.
The problem is that openntpd-6.0p1_1,2 is forcing the installation of libressl and that is in conflict with the installed security/openssl port. Previously I had selected to disable RSSL (SSL support). That option is now removed. These changes make things wotk for me: --- a/net/openntpd/Makefile +++ b/net/openntpd/Makefile @@ -2,7 +2,7 @@ PORTNAME= openntpd PORTVERSION= 6.0p1 -PORTREVISION= 2 +PORTREVISION= 3 PORTEPOCH= 2 CATEGORIES= net MASTER_SITES= OPENBSD/OpenNTPD @@ -21,6 +21,12 @@ GROUPS= _ntp USES= ssl GNU_CONFIGURE= yes + +OPTIONS_DEFINE= RESSL +RESSL_DESC= SSL/TLS support via LibreSSL + +OPTIONS_DEFAULT= RESSL + CONFIGURE_ARGS= --with-cacert=${LOCALBASE}/etc/ssl/cert.pem pre-build: @@ -33,6 +39,7 @@ post-stage: .include <bsd.port.pre.mk> # Requires libtls from LibreSSL +.if ${PORT_OPTIONS:MRESSL} .if ${SSL_DEFAULT:Mlibressl*} CPPFLAGS+= -I${OPENSSLINC} LDFLAGS+= -L${OPENSSLLIB} @@ -40,6 +47,8 @@ LDFLAGS+= -L${OPENSSLLIB} BUILD_DEPENDS+= ${NONEXISTENT}:security/libressl:stage CPPFLAGS+= -I${WRKDIR}/libressl/include LDFLAGS+= -L${WRKDIR}/libressl/lib +.endif # RESSL + # security/libressl ignores implicit SSP_UNSAFE, see Mk/bsd.ssp.mk . if ${OPSYS} == FreeBSD && ${OSVERSION} < 1000036 && ${ARCH} == i386 SSP_CFLAGS?= -fstack-protector
Can you show complete build log? security/libressl is built as part of net/openntpd but is not actually installed. In a few days binary packages should become available where you can confirm lack of dependency[1] on libressl package. $ pkg info pkg-1.9.2 Package manager $ pkg install openntpd Updating FreeBSD repository catalogue... FreeBSD repository is up-to-date. All repositories are up-to-date. Checking integrity... done (0 conflicting) The following 2 package(s) will be affected (of 0 checked): New packages to be INSTALLED: openntpd: 6.0p1_2,2 ca_root_nss: 3.27.1 Number of packages to be installed: 2 The process will require 2 MiB more space. Proceed with this action? [y/N]: [1] Caveat: openntpd package currently always depends on system SSL library (whatever that may be) even if unused. USES=ssl is only needed for DEFAULT_VERSIONS=ssl=libressl , but USES facility doesn't work after bsd.port.pre.mk. This may be fixed by moving the workaround here into USES=ssl.
Sure. Make /etc/make.conf contains among other things: ## world ## MALLOC_PRODUCTION=yes SSL_OP_NO_SSLv2=yes SSL_OP_NO_SSLv3=yes security_openssl_UNSET=SSL2 SSL3 ## ports ## WITH_OPENSSL_PORT=yes OPTIONS_UNSET=DEBUG DOCS X11 OPTIONS_SET=OPTIMIZED_CFLAGS DEFAULT_VERSIONS=python=2.7 python2=2.7 python3=3.5 php=5.6 ssl=openssl The build goes as follows: root@SagaBOX ~]# portmaster -adi ===>>> The following actions will be taken if you choose to proceed: Upgrade openntpd-6.0p1_1,2 to openntpd-6.0p1_2,2 ===>>> Proceed? y/n [y] ===>>> Starting build for ports that need updating <<<=== ===>>> Launching child to install net/openntpd ===>>> All >> net/openntpd (1/1) ===>>> Currently installed version: openntpd-6.0p1_1,2 ===>>> Port directory: /usr/ports/net/openntpd ===>>> Starting check for build dependencies ===>>> Gathering dependency list for net/openntpd from ports ===>>> The dependency for security/libressl seems to be handled by openssl-1.0.2j_1,1 ===>>> Dependency check complete for net/openntpd ===>>> All >> openntpd-6.0p1_1,2 (1/1) ===> Cleaning for openntpd-6.0p1_2,2 ===> License ISCL accepted by the user ===> Found saved configuration for openntpd-5.7p4_2,2 ===> openntpd-6.0p1_2,2 depends on file: /usr/local/sbin/pkg - found ===> Fetching all distfiles required by openntpd-6.0p1_2,2 for building ===> libressl-2.4.3 conflicts with installed package(s): openssl-1.0.2j_1,1 They install files into the same place. You may want to stop build with Ctrl + C. ===> License BSD4CLAUSE accepted by the user ===> Found saved configuration for libressl-2.4.3 ===> libressl-2.4.3 depends on file: /usr/local/sbin/pkg - found ===> Fetching all distfiles required by libressl-2.4.3 for building ===> Extracting for openntpd-6.0p1_2,2 => SHA256 Checksum OK for openntpd-6.0p1.tar.gz. ===> Patching for openntpd-6.0p1_2,2 ===> Applying FreeBSD patches for openntpd-6.0p1_2,2 ===> openntpd-6.0p1_2,2 depends on file: /usr/local/lib/libcrypto.so.9 - found ===> libressl-2.4.3 conflicts with installed package(s): openssl-1.0.2j_1,1 They install files into the same place. You may want to stop build with Ctrl + C. ===> License BSD4CLAUSE accepted by the user ===> Found saved configuration for libressl-2.4.3 ===> libressl-2.4.3 depends on file: /usr/local/sbin/pkg - found ===> Fetching all distfiles required by libressl-2.4.3 for building ===> libressl-2.4.3 conflicts with installed package(s): openssl-1.0.2j_1,1 They will not build together. Please remove them first with pkg delete. *** Error code 1 Stop. make[2]: stopped in /usr/ports/security/libressl *** Error code 1 Stop. make[1]: stopped in /usr/ports/security/libressl *** Error code 1 Stop. make: stopped in /usr/ports/net/openntpd ===>>> make build failed for net/openntpd ===>>> Aborting update ===>>> Update for net/openntpd failed ===>>> Aborting update ===>>> You can restart from the point of failure with this command line: portmaster <flags> net/openntpd
(In reply to Simeon Simeonov from comment #12) > WITH_OPENSSL_PORT= yes is deprecated, please use > DEFAULT_VERSIONS+= ssl=openssl in stead. The port doesn't bring in LibreSSL as far as I can see. It only builds libressl up to staging target and uses it to statically link libtls.
The same result when WITH_OPENSSL_PORT= yes is removed (obviously). The port pulls inn LibreSSL as a dependency. As a result the port-build (of openntpd) fails. This should not happen, no matter the difference in definitions.
(In reply to Simeon Simeonov from comment #14) Hi Simeon, Your build-system looks out-of-sync. If anything your output should show many warnings regarding the use of WITH_OPENSSL_PORT but apparently the warnings are hidden by portmaster. If anything this looks like an issue with portmaster, not with this port. > ===>>> The following actions will be taken if you choose to proceed: > Re-install openntpd-6.0p1_2,2 > Install security/libressl With ports framework > make -C /usr/ports/net/openntpd > /!\ WARNING /!\ > Using WITH_OPENSSL_PORT in make.conf is deprecated, replace it with DEFAULT_VERSIONS+=ssl=openssl in your make.conf Just verified that it DOES NOT install LibreSSL when using the ports-framework. portmaster uses run-, build, all-depends-list to check for dependencies Please open a PR for ports-mgmt/portmaster. Thanks, Bernard.
Well... not exactly... OK. After removing openntpd I do the following steps (NO portmaster involved, no outdated make.conf either) [root@SagaBOX ~]# portsnap fetch update && pkg version -v -L = ; pkg updating -d 20161030 Looking up portsnap.FreeBSD.org mirrors... 6 mirrors found. Fetching snapshot tag from ec2-eu-west-1.portsnap.freebsd.org... done. Ports tree hasn't changed since last snapshot. No updates needed. Ports tree is already up to date. [root@SagaBOX ~]# grep -i ssl /etc/make.conf SSL_OP_NO_SSLv2=yes SSL_OP_NO_SSLv3=yes security_openssl_UNSET=SSL2 SSL3 ##WITH_OPENSSL_PORT=yes DEFAULT_VERSIONS=python=2.7 python2=2.7 python3=3.5 php=5.6 ssl=openssl root@SagaBOX /usr/ports/net/openntpd]# make install clean ===> License ISCL accepted by the user ===> Found saved configuration for openntpd-5.7p4_2,2 ===> openntpd-6.0p1_2,2 depends on file: /usr/local/sbin/pkg - found ===> Fetching all distfiles required by openntpd-6.0p1_2,2 for building ===> libressl-2.4.3 conflicts with installed package(s): openssl-1.0.2j_1,1 They install files into the same place. You may want to stop build with Ctrl + C. ===> License BSD4CLAUSE accepted by the user ===> Found saved configuration for libressl-2.4.3 ===> libressl-2.4.3 depends on file: /usr/local/sbin/pkg - found ===> Fetching all distfiles required by libressl-2.4.3 for building ===> Extracting for openntpd-6.0p1_2,2 => SHA256 Checksum OK for openntpd-6.0p1.tar.gz. ===> Patching for openntpd-6.0p1_2,2 ===> Applying FreeBSD patches for openntpd-6.0p1_2,2 ===> openntpd-6.0p1_2,2 depends on file: /usr/local/lib/libcrypto.so.9 - found ===> libressl-2.4.3 conflicts with installed package(s): openssl-1.0.2j_1,1 They install files into the same place. You may want to stop build with Ctrl + C. ===> License BSD4CLAUSE accepted by the user ===> Found saved configuration for libressl-2.4.3 ===> libressl-2.4.3 depends on file: /usr/local/sbin/pkg - found ===> Fetching all distfiles required by libressl-2.4.3 for building ===> libressl-2.4.3 conflicts with installed package(s): openssl-1.0.2j_1,1 They will not build together. Please remove them first with pkg delete. *** Error code 1 Stop. make[2]: stopped in /usr/ports/security/libressl *** Error code 1 Stop. make[1]: stopped in /usr/ports/security/libressl *** Error code 1 Stop. make: stopped in /usr/ports/net/openntpd
A commit references this bug: Author: brnrd Date: Sun Oct 30 14:56:58 UTC 2016 New revision: 424947 URL: https://svnweb.freebsd.org/changeset/ports/424947 Log: security/libressl: Switch to CONFLICTS_INSTALL - There's no conflict at build time PR: 213691 Changes: head/security/libressl/Makefile head/security/libressl-devel/Makefile
Created attachment 176310 [details] svn diff for net/openntpd (In reply to Bernard Spil from comment #15) Hi Simeon, Aha! Sorry, hadn't checked what happens when OpenSSL is actually installed when you build openntpd, guess what... I think I've solved this with this patch. The issue is with setting USES= ssl which forces the ports framework to build/install libressl. This is now only set when LibreSSL is indeed installed. In other cases it will build/stage LibreSSL but not install or depend on it.
A commit references this bug: Author: brnrd Date: Sun Oct 30 15:16:02 UTC 2016 New revision: 424949 URL: https://svnweb.freebsd.org/changeset/ports/424949 Log: security/acme-client: Fix CONFLICT errors when OpenSSL is installed - As reported for OpenNTPd PR: 213691 Reported by: Simeon Simeonov <blackmore@pichove.org> Changes: head/security/acme-client/Makefile
That will work, but do we want to eliminate the option to build openntpd without (any) SSL support? I feel that this option may be useful on some systems like tiny Raspberry Pi installations. In any case this should fix it for most people, including me. Thank you for your time and patience!
Unless a back out is in question, please, discuss any regressions in separate bugs. This bug became a mess of different issues. Also, ports 424949 landed despite caveat described in comment 11.
(In reply to Jan Beich (mail not working) from comment #21) Hi Jan, A fix for the issue is also attached to this PR. Small change but at least allows everyone to build. Cheers, Bernard.
Do you mean ports 424947 *after* you've ignored my patch in bug 213889? ;)
(In reply to Bernard Spil from comment #22) Yes, please commit.
Comment on attachment 176310 [details] svn diff for net/openntpd After applying DEFAULT_VERSIONS=ssl=libressl build fails: http://sprunge.us/ACdA