> On 08 Jul 2016, at 11:45 AM, Mark Millard <[email protected]> wrote: > > Mathieu Arnold mat at FreeBSD.org wrote on Fri Jul 8 06:26:33 UTC 2016: > >> I will be changing the >> default OpenSSL for the ports tree from the base system version to >> security/openssl. > > > This could be odd for something like ports-mgmt/pkg if it currently uses the > base system version: needing to have had already built security/openssl in > order to build/use pkg.
This needs to be built against base if it doesn't want to bundle the library. On a slightly related note, bapt@ added that pkg(8) doesn't necessarily need OpenSSL, but the implementation of required algorithms are faster than available alternatives. And it's just that OpenSSL is such a large project that bundling makes it difficult. A large portion of work in early 2015 focused on making OpenSSL ports build dependencies reliable, because LibreSSL from ports wasn't really working as many ports supposedly using OpenSSL from ports were using OpenSSL from base. Things have changed considerably in 1.5 years. I think the main motivation here is: fixing security issues faster and depending less on base where possible to allow major upgrades to take place of said SSL libraries. The other one was that base OpenSSL should be more private, for that same reason or another. As another example of how this might be useful: HardenedBSD can build LibreSSL base, but for people still needing OpenSSL in order not to jeopardise their job security the default of using the ports version would be the way to go. On OPNsense, we even build parallel tracks for OpenSSL and LibreSSL from ports and it's therefore possible to migrate from one track to the other as pkg(8) thinks it's upgrading to a new version where shared library dependencies changed. ;) I think what's bad now is that the SSL port chosen is exclusive to the repository due to files installed. Switching to OpenSSL from ports will prevent ports that do depend on LibreSSL's shared library libtls.so from working, because OpenSSL is so deeply tied into today's software that it will be on almost any default installation. Cheers, Franco _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "[email protected]"
