> On Jan 15, 2019, at 5:55 PM, David Cornejo <d...@dogwood.com> wrote: > > Hi, > > I am working on some code that wants to use mkerr.pl from the openssl > distribution - but this appears to have been left out of the import to > base. > > Is there an alternative method to create the include files produced > from this script in FreeBSD?
Hi Dave, I would go a different route from what was mentioned by others — I would actually either grab mkerr.pl from upstream from the release package (upstream on GitHub is https://github.com/openssl/openssl/releases ) (sidenote: I don’t know why, but our vendor-crypto tree lacks this script as well; jkim@ CCed). Why go this route? You can easily grab the file using a tool like curl, fetch, or wget from GitHub, and you can be sure that the version you’re grabbing is the upstream release version. The only downside of this route is that you might have to apply local patches in order to fix bugs with the script itself (which the port would handle), and you’ll have to grab all dependencies (in this case/version: configdata.pm, which is generated from the release). Example: fetch -o mkerr.pl https://raw.githubusercontent.com/openssl/openssl/d1c28d791a7391a8dc101713cd8646df96491d03/util/mkerr.pl I think that these files should be committed in the vendor-crypto tree, along with crypto/openssl ; although FreeBSD as a project doesn’t have much value for these files, other repackagers do have value for these files (Isilon had to recompile openssl to deal with some modifications to the library for FIPS compliance). Why am I not recommending the port outright? Depending on which version of openssl you’re based on, you might need to maintain a Frankensteinian version of the port to deal with the current (or old) ports framework, which can be… noisome (speaking from experience having dealt with this at Isilon with a 3 year old port system in the past). Plus, some of the config might differ (—prefix, etc), causing the version you’re configuring to differ from the base system version. Alternatively, you could just bypass openssl in base and patch a copy from ports and be done with it. Cheers, -Enji
signature.asc
Description: Message signed with OpenPGP
