Bug 233389 - databases/puppetdb-cli: fails to build with OpenSSL 1.1.*
Summary: databases/puppetdb-cli: fails to build with OpenSSL 1.1.*
Status: Closed Not Accepted
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: FreeBSD Puppet Team
URL: http://beefy6.nyi.freebsd.org/data/12...
Keywords: patch, patch-ready
Depends on:
Blocks: 231931
  Show dependency treegraph
Reported: 2018-11-21 18:56 UTC by Jan Beich
Modified: 2018-12-14 03:07 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (puppet)

v1 (48.26 KB, patch)
2018-11-21 18:56 UTC, Jan Beich
no flags Details | Diff
v1 (48.26 KB, patch)
2018-11-21 19:03 UTC, Jan Beich
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jan Beich freebsd_committer 2018-11-21 18:56:43 UTC
Created attachment 199432 [details]

Can you test runtime? I don't use this port.

Build logs:
- 11.2 amd64: https://ptpb.pw/L6mS
- 11.2 i386:  https://ptpb.pw/vf2h
- 12.0 amd64: https://ptpb.pw/TTBl
- 12.0 i386:  https://ptpb.pw/W1iV
- 13.0 amd64: https://ptpb.pw/ZW7O
- 13.0 i386:  https://ptpb.pw/eYZx
Comment 1 Jan Beich freebsd_committer 2018-11-21 19:03:07 UTC
Created attachment 199433 [details]

Oops, missed SSL_DEFAULT == base check before testing FreeBSD version.
Comment 2 Romain Tartière freebsd_committer 2018-11-22 19:51:58 UTC
Wow, have you considered submitting this support for recent OpenSSL to the "0.9.x" branch of the openssl crate upstream (by filling-in a PR on GitHub)?  I believe that a new 0.9.x version with the fixes would be the easiest way to fix the port and maintain it working in the future.

I tried to switch to the 0.10.x branch which I think should work with recent OpenSSL, but the API has changed a lot and I am totally new to Rust / Cargo.  I could not make any progress, so I opened an issue upstream:
Comment 3 Romain Tartière freebsd_committer 2018-11-22 20:48:57 UTC
Looks like we also need:

BROKEN_SSL=    libressl
BROKEN_SSL_REASON_libressl=    No support for libressl yet

Updating my ports to build against openssl111 right now.
Comment 4 Jan Beich freebsd_committer 2018-11-30 05:46:30 UTC
Another option is building against security/openssl installed under ${STAGEDIR} then linking statically. See net/openntpd for an inspiration.

(In reply to Romain Tartière from comment #2)
> have you considered submitting this support for recent OpenSSL
> to the "0.9.x" branch of the openssl crate upstream?

OpenSSL 1.1.1 fix also includes cleanup and automation fixes which are harder to rebase. Besides, upstream is not interested.

Comment 5 Romain Tartière freebsd_committer 2018-11-30 18:01:39 UTC
A lot of ports are broken when built against openssl 1.1.1 (nut, bacula, spamd just to name a few leaf ports broken when trying to change ssl= on my puppetserver), but it seems to be possible to check that puppetdb-cli is working by installing it on a random node and forwarding to on the node running puppetdb (`ssh -L 8080: puppetdb`).  I did this and everythings seems to be fine :+1:.

My concerns are more related to maintaining this in the FreeBSD ports tree.  As spotted in last message from jbeich@, rust-openssl 0.10 has support for modern openssl (should work with ssl= base, libressl, openssl and openssl111, I am not 100% sure of that though), and I quite agree with the crate maintainer's opinion about patching rust-openssl 0.9…

Updating rust-openssl in the kitchensink crate look far from trivial.  This seems an over-complicated task to discover go, cargo and the openssl crate AFAIAC.  Maybe someone used to go and cargo and who "just" has to discover the openssl crate may find this doable?  What do you think puppet@ people?  Do we ship this at the risk of breaking it again sooner or later, or do we just mark it broken when it's broken and hope for a better fix from upstream at some point?
Comment 6 Romain Tartière freebsd_committer 2018-12-14 02:48:24 UTC

I could add a FreeBSD 12.0 jail to my poudriere setup, and it looks like that you build the ports against security/openssl you end up with a working puppetdb-cli.


I understand that it's not what users would expect, but the current situation makes me feel that attempting to patch this port so that it builds with all supported SSL implementations we support is far more work than what we can support :-/  If upstream has no interest in supporting "current" openssl releases and happen to be unbuildable at some point, we will remove it from the ports tree.

I will commit relevant BROKEN_SSL lines to the Makefile so that the build failures are documented.

Thanks for bringing this to our attention and your attempt to improve the situation!
Comment 7 commit-hook freebsd_committer 2018-12-14 02:59:59 UTC
A commit references this bug:

Author: romain
Date: Fri Dec 14 02:59:37 UTC 2018
New revision: 487403
URL: https://svnweb.freebsd.org/changeset/ports/487403

  Mark broken with unsupported OpenSSL release

  puppetdb-cli internal dependencies support OpenSSL 1.0 or older only. To
  sum up, one will be able to build/run puppetdb-cli using SSL from base
  (FreeBSD <= 11) or from security/openssl (all FreeBSD versions).

  Mark broken for:
    - DEFAULT_VERSIONS+=ssl=base (for FreeBSD 12+)
    - DEFAULT_VERSIONS+=ssl=openssl111
    - DEFAULT_VERSIONS+=ssl=libressl

  An experimental patch to bring support for OpenSSL 1.1.1 is available in
  the PR 233389.
  The details why we chose not to merge it is explained in the comments.

  PR:             233389
  Reported by:    jbeich
  With hat:       puppet