Page MenuHomeFreeBSD

security/libressl-devel: Add next-stable LibreSSL 2.3 port
ClosedPublic

Authored by brnrd on Sep 7 2015, 11:19 AM.

Details

Summary

Proposed commit message:

security/libressl-devel: Add next-stable LibreSSL 2.3 port

  - Transfer maintainership of security/libressl to brnrd@
  - Add security/libressl-devel for version 2.3.1
  - Including corrections for CVE-2015-3194/3195
  - Add support for multiple versions to bsd.openssl.mk
  - Add option to optionally install API man-pages (201462)
  - Disable silent rules output

Changes:

  - ftp://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.3.0-relnotes.txt
  - ftp://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.3.1-relnotes.txt

PR:		201462
Submitted by: 	adamw (201462)
Reviewed_by:	vsevolod (mentor, maintainer), koobs (mentor), feld (mentor)
Approved by:	(mentor)
Differential_Revision:	https://reviews.freebsd.org/D3585
Test Plan
  • Poudriere testport
  • Poudriere Bulk of private repo
  • portlint -AC (clean)
  • make regression-test all tests PASS

Diff Detail

Repository
rP FreeBSD ports repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
adamw added inline comments.Sep 25 2015, 10:29 PM
security/libressl/Makefile
42 ↗(On Diff #8930)

Did you want to uncomment the post-install-MAN3-off target?

brnrd marked 5 inline comments as done.Oct 8 2015, 6:31 PM
brnrd added inline comments.
security/libressl/Makefile
24 ↗(On Diff #8930)

There's now a maintainer-approved patch for devel/tcltls see D3695

42 ↗(On Diff #8930)

Yes. This has now been fixed.

brnrd marked an inline comment as done.Oct 8 2015, 6:39 PM
brnrd edited edge metadata.
brnrd updated this revision to Diff 9254.

Update with latest patch-set closing all comments

  • devel/tcltls conflict solved in D3695
  • Include Mk/bsd.openssl.mk patch
  • Include security/Makefile patch
brnrd retitled this revision from security/libressl: Update to 2.3.0 PRE-RELEASE to security/libressl-devel: Add next-stable LibreSSL 2.3.0 port.Oct 8 2015, 6:43 PM
brnrd updated this object.
brnrd edited edge metadata.
brnrd updated this revision to Diff 9444.Oct 16 2015, 8:35 AM

Update to latest including vulnerability fixes

koobs edited edge metadata.EditedOct 16 2015, 8:43 AM
koobs accepted this revision.

LGTM, great work.

The commit log is missing spaces where there should be some, and Differential Revision: needs to go on the last line.

brnrd edited edge metadata.Oct 16 2015, 11:46 AM
brnrd updated this revision to Diff 9448.

Transfer maintainership

brnrd updated this object.Oct 16 2015, 11:47 AM
brnrd edited edge metadata.
koobs edited edge metadata.Oct 16 2015, 12:15 PM
koobs requested changes to this revision.
koobs added inline comments.
security/libressl-devel/Makefile
6 ↗(On Diff #9448)

PORTREVISION shouldn't be needed for an initial add port?

security/libressl-devel/files/patch-include_openssl_opensslv.h
8 ↗(On Diff #9448)

/* These will never change */

But they changed, please document the need/rationale in the patch header for future selves

This revision now requires changes to proceed.Oct 16 2015, 12:15 PM
brnrd marked 2 inline comments as done.Nov 7 2015, 3:12 PM
brnrd added inline comments.
security/libressl-devel/Makefile
6 ↗(On Diff #9448)

Correct. This was done for PC-BSD that already had 2.3.0 without a security patch in use.
Gone now.

security/libressl-devel/files/patch-include_openssl_opensslv.h
8 ↗(On Diff #9448)

Added comment to patch file

brnrd edited edge metadata.Nov 7 2015, 3:23 PM
brnrd marked 2 inline comments as done.
brnrd updated this revision to Diff 10009.
  • Update security/libressl-devel to 2.3.1
  • Add comment to OPENSSL_VERSION patch
  • Redo optional nc install
koobs edited edge metadata.Nov 8 2015, 10:55 AM
koobs requested changes to this revision.
koobs added inline comments.
security/libressl-devel/Makefile
34 ↗(On Diff #10009)

Since the new test framework (See TEST_* in Mk/bsd.port.mk), should be able to update this to:

TEST_TARGET=check

This revision now requires changes to proceed.Nov 8 2015, 10:55 AM
brnrd retitled this revision from security/libressl-devel: Add next-stable LibreSSL 2.3.0 port to security/libressl-devel: Add next-stable LibreSSL 2.3.1 port.Nov 11 2015, 6:58 PM
brnrd edited edge metadata.
brnrd edited edge metadata.Nov 15 2015, 6:10 PM
brnrd updated this revision to Diff 10205.

Rework regression-test target to TEST_TARGET

brnrd edited edge metadata.Dec 5 2015, 11:39 AM
brnrd updated this revision to Diff 10785.

Add patch for CVE-2015-1794

brnrd edited edge metadata.Dec 8 2015, 10:11 AM
brnrd updated this revision to Diff 10904.

Add fix for CVE-2015-3195 as well

  • Bump portrevision for PC-BSD
brnrd retitled this revision from security/libressl-devel: Add next-stable LibreSSL 2.3.1 port to security/libressl-devel: Add next-stable LibreSSL 2.3 port.Jan 1 2016, 8:23 PM
brnrd updated this object.
brnrd added a reviewer: feld.
brnrd marked an inline comment as done.Jan 1 2016, 8:27 PM
brnrd updated this revision to Diff 11851.

Update LibreSSL patches

  • Record change of maintainer for security/libressl
koobs edited edge metadata.Jan 2 2016, 4:19 PM
koobs requested changes to this revision.

@brnrd Can you pull the security/libressl changes out of this review, leaving only the new -devel parts?

They should really be in isolated changes. Apologies for not asking for this sooner

This revision now requires changes to proceed.Jan 2 2016, 4:19 PM
brnrd edited edge metadata.Jan 2 2016, 7:13 PM
brnrd updated this revision to Diff 11861.

Make change atomic, exclude changes to other ports

brnrd added a comment.Jan 2 2016, 7:14 PM
In D3585#100968, @koobs wrote:

@brnrd Can you pull the security/libressl changes out of this review, leaving only the new -devel parts?
They should really be in isolated changes. Apologies for not asking for this sooner

Corrected!

security/libressl-devel/Makefile
7 ↗(On Diff #10904)

Required for PC-BSD that has been using LibreSSL 2.3 since 2015-10-03 and the security/libressl-devel port since 2015-11-13 for pcbsd-101-RELEASE. This revision includes the CVE-2015-3194 and CVE-2015-3195 corrections

brnrd edited edge metadata.Jan 2 2016, 7:29 PM
brnrd updated this revision to Diff 11862.

Fix imminent make index failure

feld edited edge metadata.Jan 3 2016, 8:31 PM
feld requested changes to this revision.

what happened to the man page situation? It still looks like we're installing 1400 man pages :-)

This revision now requires changes to proceed.Jan 3 2016, 8:31 PM
adamw added a comment.Jan 3 2016, 8:39 PM
In D3585#101156, @feld wrote:

what happened to the man page situation? It still looks like we're installing 1400 man pages :-)

Is the MAN3 option not working for you?

They're removed before packaging in post-install-MAN3-off. It's simple that way, and less trivial to patch up libressl not to install them to STAGEDIR in the first place (but still to install the man1 page

In this case, they're processed/installed with install(1) and ln(1), so it doesn't add much to build time. In openssl, by contrast, it has its own installation script (because openssl has to roll their own everything), and processing the manpages adds considerable build time.

feld added a comment.Jan 3 2016, 8:49 PM

I didn't build it yet to confirm -- the pkg-plist visualization in phabric that makes it appear that it will be using a 1562 line pkg-plist with 1400+ man pages.

adamw added a comment.Jan 3 2016, 8:51 PM
In D3585#101174, @feld wrote:

I didn't build it yet to confirm -- the pkg-plist visualization in phabric that makes it appear that it will be using a 1562 line pkg-plist with 1400+ man pages.

Gotcha. It deletes those lines from the plist as the last step. The manpages are all installed by default.

feld edited edge metadata.Jan 3 2016, 9:11 PM
feld accepted this revision.
In D3585#101175, @adamw wrote:
In D3585#101174, @feld wrote:

I didn't build it yet to confirm -- the pkg-plist visualization in phabric that makes it appear that it will be using a 1562 line pkg-plist with 1400+ man pages.

Gotcha. It deletes those lines from the plist as the last step. The manpages are all installed by default.

Aha! I'm not used to seeing the plist handled like that. :) I've tested build and this looks sane to me.

koobs edited edge metadata.Jan 4 2016, 9:24 AM
koobs accepted this revision.
brnrd marked 2 inline comments as done.Jan 4 2016, 9:41 AM
brnrd added inline comments.
UPDATING
18 ↗(On Diff #8752)

After refactoring to keep the current security/libressl and creating a new security/libressl-devel this addition to UPDATING has been removed

security/libressl-devel/Makefile
42 ↗(On Diff #11862)
In D3585#101156, @feld wrote:

what happened to the man page situation? It still looks like we're installing 1400 man pages :-)

This not working for you?

koobs removed a reviewer: portmgr.Jan 4 2016, 11:32 AM
This revision is now accepted and ready to land.Jan 4 2016, 11:32 AM
koobs added a comment.Jan 4 2016, 11:33 AM

@dinoex doesn't have a phabricator account to review/approval.

@mat approved the removal of portmgr from this review given they do not maintain openssl.mk

This commit is free to land @brnrd

brnrd marked an inline comment as done.Jan 4 2016, 1:55 PM
This revision was automatically updated to reflect the committed changes.