[oi-dev] OpenSSL update process

Sun Feb 7 17:27:43 UTC 2021

On Sun, Feb 7, 2021 at 5:02 PM Andreas Wacknitz <A.Wacknitz at gmx.de> wrote:

> Am 07.02.21 um 14:09 schrieb Aurélien Larcher:
>
>
>
> On Sun, Feb 7, 2021 at 1:21 PM Andreas Wacknitz <A.Wacknitz at gmx.de> wrote:
>
>> Am 06.02.21 um 21:56 schrieb Aurélien Larcher:
>>
>>
>> OpenSSL 1.1 is now merged:
>>
>> 1. The mediator is default set to 1.0 but can be safely set to 1.1.
>> 2. illumos-gate is patched to accept library/security/openssl-11 as
>> dependency so that it builds when the mediator version is 1.1.
>> 3. oi-userland has now a switch USE_OPENSSL10=yes or USE_OPENSSL11=yes
>> which should be placed before shared-macros.mk is included.
>> 4. If 'gmake update' is executed in a component depending on OpenSSL then
>> the switch is made to OpenSSL 1.1 unless USE_OPENSSL10=yes is set.
>>
>> Now the fun begins:
>>
>> 3. Move all the components supporting OpenSSL 1.1 or update them.
>>> 4. Deprecate possible rotting components which cannot be updated and may
>>> cause security issues.
>>>
>>
>> and... the more, the merrier!
>>
>>
>> Cheers
>>
>>
>> _______________________________________________
>> oi-dev mailing listoi-dev at openindiana.orghttps://openindiana.org/mailman/listinfo/oi-dev
>>
>> Hi,
>>
>> do we have a problem with missing engine files in the openssl-11 package?
>>
>> ╰─➤  cat /usr/openssl/1.1/lib/pkgconfig/libcrypto.pc
>> prefix=/usr/openssl/1.1
>> exec_prefix=${prefix}
>> libdir=${exec_prefix}/lib/
>> includedir=${prefix}/include
>> enginesdir=${libdir}/engines-1.1
>>
>> Name: OpenSSL-libcrypto
>> Description: OpenSSL cryptography library
>> Version: 1.1.1i
>> Libs: -L${libdir} -lcrypto
>> Libs.private: -lsocket -lnsl -ldl -pthread
>> Cflags: -I${includedir}
>>
>> So, libcrypto.pc states that there shall be /usr/openssl/1.1/lib/engine
>> files but there aren't any (same for 64-bit):
>>
>
> It seems like they did not bother to remove the enginesdir variable from
> the .pc file if engines are not built...
>
> We could ship an empty directory or patch the .pc files but if you think
> that it is better to ship the engines we can do that also.
> I do not really know who consumes them...
>
> I don't know, too. But letting a .pc file pointing to something
> non-existing is the worst way imo.
>

But there is no support for them in any case so the probability that a
broken build system would use that path after detecting that engines are
not shipped is thin...

Best would probably be to ship them where they are expected.
>

If you have time you could just enable them and publish a new openssl, but
even then we do not ship pk11 unless someone takes time to look at it.

There are no consumers so it is likely not going to make much difference
but at least consistency is restored.

Do want you think is best.

_______________________________________________
> oi-dev mailing list
> oi-dev at openindiana.org
> https://openindiana.org/mailman/listinfo/oi-dev
>

-- 
---
Praise the Caffeine embeddings
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openindiana.org/pipermail/oi-dev/attachments/20210207/52529efb/attachment.html>