If you wish, you may rebuild all dports to use non-base SSL library of your choice

John Marino dragonflybsd at marino.st
Sun Oct 16 21:53:28 PDT 2016

On 9/17/2016 09:47, John Marino wrote:
> The DPorts tree has been audited and fixed to work with dports-based SSL
> libraries such as:
>   /security/openssl
>   /security/openssl-devel (untested)
>   /security/libressl
>   /security/libressl-devel (untested)
> Currently they will still build with the DF base openssl libraries.  If
> you want to use one of the dports SSL libraries above, put
> "SSL_DEFAULT=<portname>" in your make.conf and rebuild them all.
> For example, put:
> SSL_DEFAULT=libressl
> in /usr/local/etc/synth/LiveSystem-make.conf
> and use synth to rebuild all packages, then reinstall from your local
> repository.
> In about a week, the dports framework will be changed to use
> dports-based libressl be default ON MASTER (existing releases will still
> use base openssl), so if you want something else on master you need to
> set SSL_DEFAULT anyway.  (Note that there are a few ports that are
> OpenSSL-only, so those will only be available to people that build their
> own packages with SSL_DEFAULT=openssl set in the future).
> You can maintain the current behavior by setting "SSL_DEFAULT=base" in
> make.conf, but at some point we are going to unhook the base OpenSSL
> from the build by default.
> Let's pick a date, say 14 October 2016.
> I proposed that after that point, the base openSSL will not longer build
> and "make upgrade" will remove it from the system.  We can have a new
> build variable, e.g. KEEP_OPENSSL, that would keep building it and not
> remove it during upgrade, but that variable would probably be removed
> before the next release.
> If anyone has a big issue with that proposal, just speak up.  Nothing is
> set in stone yet.

To follow up, I just pushed a commit that implements the following:
1) OpenSSL will no longer be built by default
2) Existing libraries, headers, and man pages will remain installed
3) Those can be removed with "make upgrade REMOVE_OPENSSL_FILES=yes 
after the next installworld
4) For the next 4 weeks or so, the base OpenSSL can be built with the 
rest of base if FORCE_OPENSSL=yes is set in /etc/make.conf.


The DPorts packages have been built with the dports-default LibreSSL for 
a few weeks now, so if the system has current packages, the chances are 
that nothing on the system links to base openssl, but any software built 
outside of ports might do so.  Once it's verified that nothing links to 
base OpenSSL, I'd recommend removing it.

In about a month, I believe we'll remove the OpenSSL sources and 
makefiles completely.


This email has been checked for viruses by Avast antivirus software.

More information about the Users mailing list