Re: Committer needed for PR 208029

2016-04-06 Thread Michelle Sullivan 

Jim Ohlstein wrote:

Hello,

On 4/6/16 12:39 PM, Mathieu Arnold wrote:

+--On 6 avril 2016 12:00:47 -0400 Jim Ohlstein  wrote:
| Hello,
|
|> On Apr 6, 2016, at 11:37 AM, Mathieu Arnold  wrote:
|>
|> +--On 6 avril 2016 10:06:41 -0400 Jim Ohlstein  wrote:
|> | Hello,
|> |
|> | On 4/6/16 12:44 AM, Kurt Jaeger wrote:
|> |> Hi!
|> |>
|> |>> Actually, I just noticed (when compiling the port), that the 
Makefile

|> |>> now says:
|> |>>
|> |>> WITH_OPENSSL_PORT=yes
|> |>
|> |> Yes, sorry, my fault. Fixed, and as suggested by mat: It is
|> |> now as IGNORE with a message explaining how to do it for 9.x.
|> |>
|> |
|> | This is much ado about nothing. The "WITH_OPENSSL_PORT" option 
is there

|> | for just this purpose and is used in many ports.
|>
|> No, the WITH_OPENSSL_PORT knob is a global one, and must not be 
used in
|> ports makefiles.  The fact is, there are ports using it, true, it 
does

|> not mean it is the right thing to do.
|>
|
| Then there are many ports being committed incorrectly, as well as, no
| doubt, many *official* packages.
|
| I really have no dog in this fight. I use it globally and build all 
of my
| own packages with poudriere, but either it shouldn't be there at 
all, or
| it should be ok to use. Having it available as an option to porters 
and

| then saying it shouldn't be used seems a bit silly.

Well, it is not available for the porters as it is a global 
directive, they

use it anyway.

Anyway, like I said, working on it.



Maybe an edit to portlint is in order. That way they might know. As of 
now, portlint does not so much as emit a warning.


I don't entirely disagree with the premise that all ports that require 
OpenSSL should be built against the version in ports. As I said, I do 
it and it also makes port maintenance simpler. However, as long as it 
is actually an option, as it is now, then it should be availed when 
desired.
I don't agree or disagree for what it's worth... What I do say though is 
where ever possible all ports should be compiled against one version.. 
of course GSSAPI support is a 'special case' in point that might have to 
break that rule of thumb.




Further down the road (but not all that far) I foresee other, perhaps 
bigger problems if using this strategy. OpenSSL 1.1.0 is in beta and 
will be released within the next month or two. It is not completely 
backward compatible. 


100% there...!

At some point it will become the official ports version and/or two 
versions will need to be maintained in ports, 1.0.2 (LTS until 2019) 
and 1.1.x. This will create the problem of some/many ports not 
building against 1.1.x and some ports or port options _requiring_ 
1.1.x. Assuming 1.1.x is the main OpenSSL in ports, there will be 
ports that would build properly against OpenSSL in base (but cannot be 
built that way if using the ports version is mandated), and do not 
compile against OpenSSL 1.1.x. Most can no doubt be patched, but 
waiting for upstream providers to do so may be problematic, and many 
porters lack the skills.


Personally I'm surprised there is not more than one major version of 
openssl in the ports tree already.. perhaps there should be...


--
Michelle Sullivan
http://www.mhix.org/

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: Committer needed for PR 208029

2016-04-06 Thread Michelle Sullivan 

Kurt Jaeger wrote:

Hi!


This is much ado about nothing. The "WITH_OPENSSL_PORT" option is there
for just this purpose and is used in many ports.

In 9.x this is sometimes a problem, if port X builds in variant 1
and port Y depends/links on X, but builds in variant 2. So it's
a temporary solution for 9.x and will be solved when 9.x is EOL'ed.


I have run into exactly this.


I'm not sure how this is solved in 10.x/11.x, probably the base SSL
is much more up2date.


Still has the same problem... though at the moment with 10.x being so up 
to date its not noticable when OpenSSL 1.0.3+ comes out it'll only be a 
matter of time before the same problems come up... and for the record, I 
think based on the FreeBSD policy, putting in an IGNORE or BROKEN for a 
too early version of openssl in base is the best policy ... not 
forgetting that the user doesn't have to specify system-wide options, 
they can do it on the command line.



Forcing users who want to use this port to use OpenSSL from ports for
ALL ports is overkill.
Think about official packages. Are ALL packages built against OpenSSL
from ports, or only those that need them? It's the latter, of course.
Are they incompatible in production? No.
Actually I think you'll find with the intent of compiling and using the 
new pkg (at least until variants are done) it's a hell of a lot worse 
(you can't use pkg upgrade with the risk of something that you need 
getting replaced by something you have chosen to configure... that 
said.. you have the same problem even if you have USE_OPENSSL_PORTS 
defined anyhow...)



There are grey areas, and I guess it will be like that for 9.x.




--
Michelle Sullivan
http://www.mhix.org/

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: Committer needed for PR 208029

2016-04-06 Thread Jim Ohlstein 

Hello,

On 4/6/16 12:39 PM, Mathieu Arnold wrote:

+--On 6 avril 2016 12:00:47 -0400 Jim Ohlstein  wrote:
| Hello,
|
|> On Apr 6, 2016, at 11:37 AM, Mathieu Arnold  wrote:
|>
|> +--On 6 avril 2016 10:06:41 -0400 Jim Ohlstein  wrote:
|> | Hello,
|> |
|> | On 4/6/16 12:44 AM, Kurt Jaeger wrote:
|> |> Hi!
|> |>
|> |>> Actually, I just noticed (when compiling the port), that the Makefile
|> |>> now says:
|> |>>
|> |>> WITH_OPENSSL_PORT=yes
|> |>
|> |> Yes, sorry, my fault. Fixed, and as suggested by mat: It is
|> |> now as IGNORE with a message explaining how to do it for 9.x.
|> |>
|> |
|> | This is much ado about nothing. The "WITH_OPENSSL_PORT" option is there
|> | for just this purpose and is used in many ports.
|>
|> No, the WITH_OPENSSL_PORT knob is a global one, and must not be used in
|> ports makefiles.  The fact is, there are ports using it, true, it does
|> not mean it is the right thing to do.
|>
|
| Then there are many ports being committed incorrectly, as well as, no
| doubt, many *official* packages.
|
| I really have no dog in this fight. I use it globally and build all of my
| own packages with poudriere, but either it shouldn't be there at all, or
| it should be ok to use. Having it available as an option to porters and
| then saying it shouldn't be used seems a bit silly.

Well, it is not available for the porters as it is a global directive, they
use it anyway.

Anyway, like I said, working on it.



Maybe an edit to portlint is in order. That way they might know. As of 
now, portlint does not so much as emit a warning.


I don't entirely disagree with the premise that all ports that require 
OpenSSL should be built against the version in ports. As I said, I do it 
and it also makes port maintenance simpler. However, as long as it is 
actually an option, as it is now, then it should be availed when desired.


Further down the road (but not all that far) I foresee other, perhaps 
bigger problems if using this strategy. OpenSSL 1.1.0 is in beta and 
will be released within the next month or two. It is not completely 
backward compatible. At some point it will become the official ports 
version and/or two versions will need to be maintained in ports, 1.0.2 
(LTS until 2019) and 1.1.x. This will create the problem of some/many 
ports not building against 1.1.x and some ports or port options 
_requiring_ 1.1.x. Assuming 1.1.x is the main OpenSSL in ports, there 
will be ports that would build properly against OpenSSL in base (but 
cannot be built that way if using the ports version is mandated), and do 
not compile against OpenSSL 1.1.x. Most can no doubt be patched, but 
waiting for upstream providers to do so may be problematic, and many 
porters lack the skills.


--
Jim Ohlstein


"Never argue with a fool, onlookers may not be able to tell the 
difference." - Mark Twain

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: Committer needed for PR 208029

2016-04-06 Thread Mathieu Arnold 
+--On 6 avril 2016 12:00:47 -0400 Jim Ohlstein  wrote:
| Hello,
| 
|> On Apr 6, 2016, at 11:37 AM, Mathieu Arnold  wrote:
|> 
|> +--On 6 avril 2016 10:06:41 -0400 Jim Ohlstein  wrote:
|> | Hello,
|> | 
|> | On 4/6/16 12:44 AM, Kurt Jaeger wrote:
|> |> Hi!
|> |> 
|> |>> Actually, I just noticed (when compiling the port), that the Makefile
|> |>> now says:
|> |>> 
|> |>> WITH_OPENSSL_PORT=yes
|> |> 
|> |> Yes, sorry, my fault. Fixed, and as suggested by mat: It is
|> |> now as IGNORE with a message explaining how to do it for 9.x.
|> |> 
|> | 
|> | This is much ado about nothing. The "WITH_OPENSSL_PORT" option is there
|> | for just this purpose and is used in many ports.
|> 
|> No, the WITH_OPENSSL_PORT knob is a global one, and must not be used in
|> ports makefiles.  The fact is, there are ports using it, true, it does
|> not mean it is the right thing to do.
|> 
| 
| Then there are many ports being committed incorrectly, as well as, no
| doubt, many *official* packages. 
| 
| I really have no dog in this fight. I use it globally and build all of my
| own packages with poudriere, but either it shouldn't be there at all, or
| it should be ok to use. Having it available as an option to porters and
| then saying it shouldn't be used seems a bit silly. 

Well, it is not available for the porters as it is a global directive, they
use it anyway.

Anyway, like I said, working on it.

-- 
Mathieu Arnold

pgpsUuW01kLS1.pgp
Description: PGP signature

Re: Committer needed for PR 208029

2016-04-06 Thread Christoph Moench-Tegeder 
## Kurt Jaeger (li...@opsec.eu):

> In 9.x this is sometimes a problem, if port X builds in variant 1
> and port Y depends/links on X, but builds in variant 2. So it's
> a temporary solution for 9.x and will be solved when 9.x is EOL'ed.

We have also seen that problem on 10.x:
https://lists.freebsd.org/pipermail/freebsd-emulation/2015-March/012390.html

Regards,
Christoph

-- 
Spare Space
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: Committer needed for PR 208029

2016-04-06 Thread Jim Ohlstein 
Hello,

> On Apr 6, 2016, at 11:37 AM, Mathieu Arnold  wrote:
> 
> +--On 6 avril 2016 10:06:41 -0400 Jim Ohlstein  wrote:
> | Hello,
> | 
> | On 4/6/16 12:44 AM, Kurt Jaeger wrote:
> |> Hi!
> |> 
> |>> Actually, I just noticed (when compiling the port), that the Makefile
> |>> now says:
> |>> 
> |>> WITH_OPENSSL_PORT=yes
> |> 
> |> Yes, sorry, my fault. Fixed, and as suggested by mat: It is
> |> now as IGNORE with a message explaining how to do it for 9.x.
> |> 
> | 
> | This is much ado about nothing. The "WITH_OPENSSL_PORT" option is there
> | for just this purpose and is used in many ports.
> 
> No, the WITH_OPENSSL_PORT knob is a global one, and must not be used in
> ports makefiles.  The fact is, there are ports using it, true, it does not
> mean it is the right thing to do.
> 

Then there are many ports being committed incorrectly, as well as, no doubt, 
many *official* packages. 

I really have no dog in this fight. I use it globally and build all of my own 
packages with poudriere, but either it shouldn't be there at all, or it should 
be ok to use. Having it available as an option to porters and then saying it 
shouldn't be used seems a bit silly. 

> There is work going on to always use OpenSSL from ports, but it also needs
> to take into account GSSAPI, and it's a mess.

--
Jim
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: Committer needed for PR 208029

2016-04-06 Thread Mathieu Arnold 
+--On 6 avril 2016 10:06:41 -0400 Jim Ohlstein  wrote:
| Hello,
| 
| On 4/6/16 12:44 AM, Kurt Jaeger wrote:
|> Hi!
|> 
|>> Actually, I just noticed (when compiling the port), that the Makefile
|>> now says:
|>> 
|>> WITH_OPENSSL_PORT=yes
|> 
|> Yes, sorry, my fault. Fixed, and as suggested by mat: It is
|> now as IGNORE with a message explaining how to do it for 9.x.
|> 
| 
| This is much ado about nothing. The "WITH_OPENSSL_PORT" option is there
| for just this purpose and is used in many ports.

No, the WITH_OPENSSL_PORT knob is a global one, and must not be used in
ports makefiles.  The fact is, there are ports using it, true, it does not
mean it is the right thing to do.

There is work going on to always use OpenSSL from ports, but it also needs
to take into account GSSAPI, and it's a mess.

-- 
Mathieu Arnold

pgpaLDaT4nC3w.pgp
Description: PGP signature

Re: Committer needed for PR 208029

2016-04-06 Thread Jim Ohlstein 
Hello,

> On Apr 6, 2016, at 10:47 AM, Kurt Jaeger  wrote:
> 
> Hi!
> 
>> This is much ado about nothing. The "WITH_OPENSSL_PORT" option is there 
>> for just this purpose and is used in many ports.
> 
> In 9.x this is sometimes a problem, if port X builds in variant 1
> and port Y depends/links on X, but builds in variant 2. So it's
> a temporary solution for 9.x and will be solved when 9.x is EOL'ed.
> 
> I'm not sure how this is solved in 10.x/11.x, probably the base SSL
> is much more up2date.
> 
>> Forcing users who want to use this port to use OpenSSL from ports for 
>> ALL ports is overkill.
> 
>> Think about official packages. Are ALL packages built against OpenSSL 
>> from ports, or only those that need them? It's the latter, of course. 
>> Are they incompatible in production? No.
> 
> There are grey areas, and I guess it will be like that for 9.x.

Not only 9.x. 10.x has OpenSSL 1.0.1. Some ports require 1.0.2 which is in 
ports. Openssl 1.1.0 is soon to be released but almost certainly won't be in 
11. It's likely to always be an issue. It's up to each individual maintainer to 
make certain his or her ports behave correctly if binaries link to one another. 
For a port like this the proper solution is to use the least intrusive option. 

--
Jim
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: Committer needed for PR 208029

2016-04-06 Thread Kurt Jaeger 
Hi!

> This is much ado about nothing. The "WITH_OPENSSL_PORT" option is there 
> for just this purpose and is used in many ports.

In 9.x this is sometimes a problem, if port X builds in variant 1
and port Y depends/links on X, but builds in variant 2. So it's
a temporary solution for 9.x and will be solved when 9.x is EOL'ed.

I'm not sure how this is solved in 10.x/11.x, probably the base SSL
is much more up2date.

> Forcing users who want to use this port to use OpenSSL from ports for 
> ALL ports is overkill.

> Think about official packages. Are ALL packages built against OpenSSL 
> from ports, or only those that need them? It's the latter, of course. 
> Are they incompatible in production? No.

There are grey areas, and I guess it will be like that for 9.x.

-- 
p...@opsec.eu+49 171 3101372 4 years to go !
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: Committer needed for PR 208029

2016-04-06 Thread Jim Ohlstein 

Hello,

On 4/6/16 12:44 AM, Kurt Jaeger wrote:

Hi!


Actually, I just noticed (when compiling the port), that the Makefile now says:

WITH_OPENSSL_PORT=yes


Yes, sorry, my fault. Fixed, and as suggested by mat: It is
now as IGNORE with a message explaining how to do it for 9.x.



This is much ado about nothing. The "WITH_OPENSSL_PORT" option is there 
for just this purpose and is used in many ports. There's no reason some 
binaries can't be linked to one version of OpenSSL and others to 
another, so long as they aren't expected to work as one (I'd imagine a 
dynamically loaded module that is linked to a different library might 
cause a problem). That is the reason that ports contains a more current 
version than base. This is from the ports/www directory:


#  grep WITH_OPENSSL_PORT */Makefile
aws/Makefile:WITH_OPENSSL_PORT= yes
drood/Makefile:WITH_OPENSSL_PORT=   yes
h2o/Makefile:WITH_OPENSSL_PORT= no
h2o/Makefile:WITH_OPENSSL_PORT= yes
mod_tsa/Makefile:WITH_OPENSSL_PORT= yes
nginx-devel/Makefile:WITH_OPENSSL_PORT= yes
nginx-devel/Makefile:WITH_OPENSSL_PORT= yes
nginx/Makefile:WITH_OPENSSL_PORT=   yes
nginx/Makefile:WITH_OPENSSL_PORT=   yes
obhttpd/Makefile:WITH_OPENSSL_PORT=yes
owncloud/Makefile:WITH_OPENSSL_PORT=yes
spdylay/Makefile:.if ${OSVERSION} < 100 && !defined(WITH_OPENSSL_PORT)
tengine/Makefile:WITH_OPENSSL_PORT= yes
tomcat-native/Makefile:WITH_OPENSSL_PORT=   yes

I'm sure there are dozens of others.

Forcing users who want to use this port to use OpenSSL from ports for 
ALL ports is overkill.


Think about official packages. Are ALL packages built against OpenSSL 
from ports, or only those that need them? It's the latter, of course. 
Are they incompatible in production? No.


--
Jim Ohlstein


"Never argue with a fool, onlookers may not be able to tell the 
difference." - Mark Twain

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: Committer needed for PR 208029

2016-04-06 Thread Mathieu Arnold 


+--On 6 avril 2016 07:33:50 +0200 Michelle Sullivan 
wrote:
| Kurt Jaeger wrote:
|> Hi!
|> 
|>> Actually, I just noticed (when compiling the port), that the Makefile
|>> now says:
|>> 
|>> WITH_OPENSSL_PORT=yes
|> Yes, sorry, my fault. Fixed, and as suggested by mat: It is
|> now as IGNORE with a message explaining how to do it for 9.x.
|> 
| Not sure about the IGNORE vs BROKEN but looks a *lot* better now. Would
| be interested as to an explanation of why the distinction between the
| two... especially as the port is 'broken' if you try and compile it
| against the wrong version of SSL...  Mathieu?

I'm sorry, I don't understand what you are asking.

-- 
Mathieu Arnold

pgpGkL3SlHb9m.pgp
Description: PGP signature

Re: Committer needed for PR 208029

2016-04-05 Thread Michelle Sullivan 

Kurt Jaeger wrote:

Hi!


Actually, I just noticed (when compiling the port), that the Makefile now says:

WITH_OPENSSL_PORT=yes

Yes, sorry, my fault. Fixed, and as suggested by mat: It is
now as IGNORE with a message explaining how to do it for 9.x.

Not sure about the IGNORE vs BROKEN but looks a *lot* better now. Would 
be interested as to an explanation of why the distinction between the 
two... especially as the port is 'broken' if you try and compile it 
against the wrong version of SSL...  Mathieu?


--
Michelle Sullivan
http://www.mhix.org/

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: Committer needed for PR 208029

2016-04-05 Thread Kurt Jaeger 
Hi!

> Actually, I just noticed (when compiling the port), that the Makefile now 
> says:
> 
> WITH_OPENSSL_PORT=yes

Yes, sorry, my fault. Fixed, and as suggested by mat: It is
now as IGNORE with a message explaining how to do it for 9.x.

-- 
p...@opsec.eu+49 171 3101372 4 years to go !
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: Committer needed for PR 208029

2016-04-05 Thread Michelle Sullivan 

Martin Waschbüsch wrote:

Umm probably a really bad idea...  consider this or something more 
creative/descriptive:

.if ${OPSYS} == FreeBSD && ${OSVERSION} < 100 && ${WITH_OPENSSL_PORT} != 
"yes"
BROKEN= You must set WITH_OPENSSL_PORT=yes in /etc/make.conf on Pre 10.x
.endif


... the idea instead of silently turning it on which could cause a myriad of 
hell for production systems where some ports are compiled against 
security/openssl and some against the base openssl... stop the compile and tell 
the user what they have to do to resolve it... which will then make anything 
else use the same openssl and lessen the dependency/library issues that could 
happen.

Actually, I just noticed (when compiling the port), that the Makefile now says:

WITH_OPENSSL_PORT=yes

GNUTLS_CONFIGURE_WITH=  gnutls
GNUTLS_LIB_DEPENDS= libgnutls.so:security/gnutls

POLARSSL_CONFIGURE_WITH=mbedtls
POLARSSL_LIB_DEPENDS=   libmbedtls.so:security/polarssl13

.include 

.if ${OPSYS} == FreeBSD && ${OSVERSION} < 100
WITH_OPENSSL_PORT=yes
.endif

Which means that the ports version is used regardless of OSVERSION...
Yup... which is so much worse in so many other ways.. (IMHO) ... I mean 
why would you want to turn on openssl in any way if you have gnutls or 
polarssl on...  I suspect the whole set of options and way its 
configured should be looked at a little more closely and have an option 
openssl as well ... or at least the broken= so that it will inform the 
user if the wrong version of openssl is attempted... and considering 
FreeBSD policy over base libraries and major releases maybe an option to 
set for including the ports version of openssl as well (so that a 
compile on 10.x while may work, if there is a security issue the 
prompting for openssl from ports will allow a person to patch up without 
necessarily knowing the significance... you know give the users a chance 
rather than leaving it to the FreeBSD Devs to say you are better off 
doing what we tell you.)




Shall I open a PR for it and incorporate the BROKEN= approach?

I'm not the right person to ask over that question, I'm just throwing a 
suggestion on how you might consider handling it and other similar 
issues in ways that are a lot more useful and less error/dependency 
prone.  Bad things/assumptions in makefiles end up with version lock-in 
and/or broken linking/compiles when something needs to be upgraded... 
and the all singing all dancing pkg system is no better than the old 
system of pkg_add when it comes to these problems (in fact in some ways 
its worse... because it tries to do the right thing when the right thing 
is actually impossible until someone changes compile options.)


--
Michelle Sullivan
http://www.mhix.org/

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: Committer needed for PR 208029

2016-04-05 Thread Martin Waschbüsch 

> Umm probably a really bad idea...  consider this or something more 
> creative/descriptive:
> 
> .if ${OPSYS} == FreeBSD && ${OSVERSION} < 100 && ${WITH_OPENSSL_PORT} != 
> "yes"
> BROKEN=   You must set WITH_OPENSSL_PORT=yes in /etc/make.conf on 
> Pre 10.x
> .endif
> 
> 
> ... the idea instead of silently turning it on which could cause a myriad of 
> hell for production systems where some ports are compiled against 
> security/openssl and some against the base openssl... stop the compile and 
> tell the user what they have to do to resolve it... which will then make 
> anything else use the same openssl and lessen the dependency/library issues 
> that could happen.

Actually, I just noticed (when compiling the port), that the Makefile now says:

WITH_OPENSSL_PORT=yes

GNUTLS_CONFIGURE_WITH=  gnutls
GNUTLS_LIB_DEPENDS= libgnutls.so:security/gnutls

POLARSSL_CONFIGURE_WITH=mbedtls
POLARSSL_LIB_DEPENDS=   libmbedtls.so:security/polarssl13

.include 

.if ${OPSYS} == FreeBSD && ${OSVERSION} < 100
WITH_OPENSSL_PORT=yes
.endif

Which means that the ports version is used regardless of OSVERSION...

Shall I open a PR for it and incorporate the BROKEN= approach?

Martin
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: Committer needed for PR 208029

2016-04-05 Thread Michelle Sullivan 

Kurt Jaeger wrote:

Hi!


I'm testbuilding those ports right now and find that
they fail on 9.3amd64 with:

With this in the -server Makefile, all is fine.

.if ${OPSYS} == FreeBSD && ${OSVERSION} < 100
WITH_OPENSSL_PORT=yes
.endif

Umm probably a really bad idea...  consider this or something more 
creative/descriptive:


.if ${OPSYS} == FreeBSD && ${OSVERSION} < 100 && ${WITH_OPENSSL_PORT} != 
"yes"
BROKEN= You must set WITH_OPENSSL_PORT=yes in /etc/make.conf on Pre 10.x
.endif


... the idea instead of silently turning it on which could cause a 
myriad of hell for production systems where some ports are compiled 
against security/openssl and some against the base openssl... stop the 
compile and tell the user what they have to do to resolve it... which 
will then make anything else use the same openssl and lessen the 
dependency/library issues that could happen.


Regards,

--
Michelle Sullivan
http://www.mhix.org/

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: Committer needed for PR 208029

2016-04-05 Thread Michelle Sullivan 

Kurt Jaeger wrote:

Hi!


Could someone please have a look at this one.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208029

All patches got approval from the maintainer.
For all I can see this should be ready to be committed.

If I overlooked anything or more information is needed,
please let me know and I'll try my best to fix this.

I'm testbuilding those ports right now and find that
they fail on 9.3amd64 with:

checking for OpenSSL support... yes
configure: error: OpenSSL library version requirement not met (>= 1.0.1)

So it seems that OpenSSL and 9.3amd64 do not build ? Should the
default for 9.3 probably be something else like gnutls or polarssl ?

OPENSSL from Ports is newer and will compile on 9.3amd64... the base 
OpenSSL is too old and 9.3 is legacy... according to re@


--
Michelle Sullivan
http://www.mhix.org/

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: Committer needed for PR 208029

2016-04-05 Thread Martin Waschbüsch 

> Am 05.04.2016 um 22:15 schrieb Kurt Jaeger :
> 
> Hi!
> 
>> Could someone please have a look at this one.
>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208029
>> 
>> All patches got approval from the maintainer.
>> For all I can see this should be ready to be committed.
> 
> Done.

Thanks a lot, Kurt!

Best,

Martin
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: Committer needed for PR 208029

2016-04-05 Thread Kurt Jaeger 
Hi!

> Could someone please have a look at this one.
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208029
> 
> All patches got approval from the maintainer.
> For all I can see this should be ready to be committed.

Done.

-- 
p...@opsec.eu+49 171 3101372 4 years to go !
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: Committer needed for PR 208029

2016-04-05 Thread Kurt Jaeger 
Hi!

> I'm testbuilding those ports right now and find that
> they fail on 9.3amd64 with:

With this in the -server Makefile, all is fine.

.if ${OPSYS} == FreeBSD && ${OSVERSION} < 100
WITH_OPENSSL_PORT=yes
.endif

-- 
p...@opsec.eu+49 171 3101372 4 years to go !
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: Committer needed for PR 208029

2016-04-05 Thread Kurt Jaeger 
Hi!

> I'm testbuilding those ports right now and find that
> they fail on 9.3amd64 with:
> 
> checking for OpenSSL support... yes
> configure: error: OpenSSL library version requirement not met (>= 1.0.1)
> 
> So it seems that OpenSSL and 9.3amd64 do not build ? Should the
> default for 9.3 probably be something else like gnutls or polarssl ?

gnutls works fine:

cur 93a 103 10i done
cur 93a 103 10i done
cur 93a 103 10i done

-- 
p...@opsec.eu+49 171 3101372 4 years to go !
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: Committer needed for PR 208029

2016-04-05 Thread Kurt Jaeger 
Hi!

> Could someone please have a look at this one.
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208029
> 
> All patches got approval from the maintainer.
> For all I can see this should be ready to be committed.
> 
> If I overlooked anything or more information is needed,
> please let me know and I'll try my best to fix this.

I'm testbuilding those ports right now and find that
they fail on 9.3amd64 with:

checking for OpenSSL support... yes
configure: error: OpenSSL library version requirement not met (>= 1.0.1)

So it seems that OpenSSL and 9.3amd64 do not build ? Should the
default for 9.3 probably be something else like gnutls or polarssl ?

-- 
p...@opsec.eu+49 171 3101372 4 years to go !
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Committer needed for PR 208029

2016-04-05 Thread Martin Waschbüsch 
Hi all,

Could someone please have a look at this one.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208029

All patches got approval from the maintainer.
For all I can see this should be ready to be committed.

If I overlooked anything or more information is needed,
please let me know and I'll try my best to fix this.

Thanks,

Martin
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"