diff mbox

[0/1] OpenSSL 1.1.0

Message ID 20160902201422.GA3701@jasmine
State New
Headers show

Commit Message

Leo Famulari Sept. 2, 2016, 8:14 p.m. UTC
On Fri, Sep 02, 2016 at 02:43:58PM +0200, Ludovic Courtès wrote:
> > I also read about lots of breakage due to the update so I think it’s
> > okay to add it as “openssl-next” for now.
> 
> Agreed (though its fine to use “openssl” in the ‘name’ field IMO.)

When I put "openssl" in the 'name' field, as attached, `guix build
openssl` gives me 1.1.0, which is not right. The other *-next packages
all seem to use "name-next" as the name.
From b09132baa7181542b82804985aac7d5f030ec545 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Fri, 2 Sep 2016 16:07:29 -0400
Subject: [PATCH] gnu: Add openssl-next.

* gnu/packages/tls.scm (openssl-next): New variable.
* gnu/packages/patches/openssl-1.1.0-c-rehash-in.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
---
 gnu/local.mk                                       |   1 +
 .../patches/openssl-1.1.0-c-rehash-in.patch        |  19 ++++
 gnu/packages/tls.scm                               | 103 +++++++++++++++++++++
 3 files changed, 123 insertions(+)
 create mode 100644 gnu/packages/patches/openssl-1.1.0-c-rehash-in.patch

Comments

Leo Famulari Sept. 2, 2016, 8:30 p.m. UTC | #1
On Fri, Sep 02, 2016 at 04:14:22PM -0400, Leo Famulari wrote:
> +(define-public openssl-next
> +  (package
> +    (inherit openssl)

Also, I wonder if this should inherit from openssl?

Presumably there will be more security updates to openssl@1.0.2 before
openssl@1.1.0 is ready for general use, and I'd wouldn't like for
openssl@1.0.2 updates to be delayed while we wait to see if
openssl@1.1.0 still builds with the changes.
Ludovic Courtès Sept. 3, 2016, 1:50 p.m. UTC | #2
Leo Famulari <leo@famulari.name> skribis:

> On Fri, Sep 02, 2016 at 02:43:58PM +0200, Ludovic Courtès wrote:
>> > I also read about lots of breakage due to the update so I think it’s
>> > okay to add it as “openssl-next” for now.
>> 
>> Agreed (though its fine to use “openssl” in the ‘name’ field IMO.)
>
> When I put "openssl" in the 'name' field, as attached, `guix build
> openssl` gives me 1.1.0, which is not right. The other *-next packages
> all seem to use "name-next" as the name.

Yes, but it’s different.  Guile 2.1, for instance, is the development
series, so it makes sense to give it a different name so users don’t end
up using the “wrong” series.

Conversely, IIUC, OpenSSL 1.1.0 is the new stable series, no?

> On Fri, Sep 02, 2016 at 04:14:22PM -0400, Leo Famulari wrote:
>> +(define-public openssl-next
>> +  (package
>> +    (inherit openssl)
>
> Also, I wonder if this should inherit from openssl?
>
> Presumably there will be more security updates to openssl@1.0.2 before
> openssl@1.1.0 is ready for general use, and I'd wouldn't like for
> openssl@1.0.2 updates to be delayed while we wait to see if
> openssl@1.1.0 still builds with the changes.

Though OpenSSL builds in 5–10 minutes, so the extra check wouldn’t take
so long, no?

Anyway, if you think keeping them separate is more convenient, go for it!

Thanks,
Ludo’.
Leo Famulari Sept. 3, 2016, 2:06 p.m. UTC | #3
On Sat, Sep 03, 2016 at 03:50:55PM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> > When I put "openssl" in the 'name' field, as attached, `guix build
> > openssl` gives me 1.1.0, which is not right. The other *-next packages
> > all seem to use "name-next" as the name.
> 
> Yes, but it’s different.  Guile 2.1, for instance, is the development
> series, so it makes sense to give it a different name so users don’t end
> up using the “wrong” series.
> 
> Conversely, IIUC, OpenSSL 1.1.0 is the new stable series, no?

1.1.0 is the new stable series, but I haven't found any software that
can use the new interface yet. So, I don't want to make 1.1.0 the
default OpenSSL version in Guix. Does that make sense?

> > Also, I wonder if this should inherit from openssl?
> >
> > Presumably there will be more security updates to openssl@1.0.2 before
> > openssl@1.1.0 is ready for general use, and I'd wouldn't like for
> > openssl@1.0.2 updates to be delayed while we wait to see if
> > openssl@1.1.0 still builds with the changes.
> 
> Though OpenSSL builds in 5–10 minutes, so the extra check wouldn’t take
> so long, no?

I guess it will not matter for now, since nothing will be using it. When
it becomes widely used, we can revisit this question.
Ludovic Courtès Sept. 3, 2016, 2:34 p.m. UTC | #4
Leo Famulari <leo@famulari.name> skribis:

> On Sat, Sep 03, 2016 at 03:50:55PM +0200, Ludovic Courtès wrote:
>> Leo Famulari <leo@famulari.name> skribis:
>> > When I put "openssl" in the 'name' field, as attached, `guix build
>> > openssl` gives me 1.1.0, which is not right. The other *-next packages
>> > all seem to use "name-next" as the name.
>> 
>> Yes, but it’s different.  Guile 2.1, for instance, is the development
>> series, so it makes sense to give it a different name so users don’t end
>> up using the “wrong” series.
>> 
>> Conversely, IIUC, OpenSSL 1.1.0 is the new stable series, no?
>
> 1.1.0 is the new stable series, but I haven't found any software that
> can use the new interface yet. So, I don't want to make 1.1.0 the
> default OpenSSL version in Guix. Does that make sense?

Yes, but as long the ‘openssl’ refers to 1.0.x, it doesn’t really matter
than the “openssl” package points to the latest one, no?  Use can still
run “guix package -i openssl@1.0” if they want.

Ludo’.
diff mbox

Patch

diff --git a/gnu/local.mk b/gnu/local.mk
index efb00b9..0c2740d 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -699,6 +699,7 @@  dist_patch_DATA =						\
   %D%/packages/patches/openjpeg-CVE-2015-6581.patch		\
   %D%/packages/patches/openjpeg-use-after-free-fix.patch	\
   %D%/packages/patches/openssl-runpath.patch			\
+  %D%/packages/patches/openssl-1.1.0-c-rehash-in.patch		\
   %D%/packages/patches/openssl-c-rehash-in.patch		\
   %D%/packages/patches/openssl-CVE-2016-2177.patch		\
   %D%/packages/patches/openssl-CVE-2016-2178.patch		\
diff --git a/gnu/packages/patches/openssl-1.1.0-c-rehash-in.patch b/gnu/packages/patches/openssl-1.1.0-c-rehash-in.patch
new file mode 100644
index 0000000..e3a982b
--- /dev/null
+++ b/gnu/packages/patches/openssl-1.1.0-c-rehash-in.patch
@@ -0,0 +1,19 @@ 
+This patch removes the explicit reference to the 'perl' binary,
+such that OpenSSL does not retain a reference to Perl.
+
+The 'c_rehash' program is seldom used, but it is used nonetheless
+to create symbolic links to certificates, for instance in the 'nss-certs'
+package.
+
+diff --git a/tools/c_rehash.in b/tools/c_rehash.in
+index 2fef627..9d40eae 100644
+--- a/tools/c_rehash.in
++++ b/tools/c_rehash.in
+@@ -1,4 +1,6 @@
+-#!{- $config{hashbangperl} -}
++eval '(exit $?0)' && eval 'exec perl -wS "$0" ${1+"$@"}'
++  & eval 'exec perl -wS "$0" $argv:q'
++    if 0;
+ 
+ # {- join("\n# ", @autowarntext) -}
+ # Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 4b87150..389fea4 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -323,6 +323,109 @@  required structures.")
    (license license:openssl)
    (home-page "http://www.openssl.org/")))
 
+(define-public openssl-next
+  (package
+    (inherit openssl)
+    (name "openssl")
+    (version "1.1.0")
+    (source (origin
+             (method url-fetch)
+             (uri (list (string-append "ftp://ftp.openssl.org/source/"
+                                       name "-" version ".tar.gz")
+                        (string-append "ftp://ftp.openssl.org/source/old/"
+                                       (string-trim-right version char-set:letter)
+                                       "/" name "-" version ".tar.gz")))
+              (patches (search-patches "openssl-1.1.0-c-rehash-in.patch"))
+              (sha256
+               (base32
+                "10lcpmnxap9nw8ymdglys93cgkwd1lf1rz4fhq5whwhlmkwrzipm"))))
+    (outputs '("out"
+               "doc"        ;1.3MiB of man3 pages
+               "static"))   ; 5.5MiB of .a files
+    (arguments
+     (substitute-keyword-arguments (package-arguments openssl)
+       ((#:phases phases)
+        `(modify-phases ,phases
+          (add-after 'configure 'patch-runpath
+            (lambda* (#:key outputs #:allow-other-keys)
+              (let ((lib (string-append (assoc-ref outputs "out") "/lib")))
+                (substitute* "Makefile.shared"
+                  (("\\$\\$\\{SHAREDCMD\\} \\$\\$\\{SHAREDFLAGS\\}")
+                   (string-append "$${SHAREDCMD} $${SHAREDFLAGS}"
+                                  " -Wl,-rpath," lib)))
+                #t)))
+          (replace
+           'configure
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let ((out (assoc-ref outputs "out")))
+               (zero?
+                (system* "./config"
+                         "shared"                   ;build shared libraries
+                         "--libdir=lib"
+  
+                         ;; The default for this catch-all directory is
+                         ;; PREFIX/ssl.  Change that to something more
+                         ;; conventional.
+                         (string-append "--openssldir=" out
+                                        "/share/openssl-" ,version)
+  
+                         (string-append "--prefix=" out)
+  
+                         ;; XXX FIXME: Work around a code generation bug in GCC
+                         ;; 4.9.3 on ARM when compiled with -mfpu=neon.  See:
+                         ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
+                         ,@(if (and (not (%current-target-system))
+                                    (string-prefix? "armhf" (%current-system)))
+                               '("-mfpu=vfpv3")
+                               '()))))))
+          (add-after
+           'install 'make-libraries-writable
+           (lambda* (#:key outputs #:allow-other-keys)
+             ;; Make libraries writable so that 'strip' does its job.
+             (let ((out (assoc-ref outputs "out")))
+               (for-each (lambda (file)
+                           (chmod file #o644))
+                         (find-files (string-append out "/lib")
+                                     "\\.so"))
+               #t)))
+          (add-after 'install 'move-static-libraries
+            (lambda* (#:key outputs #:allow-other-keys)
+              ;; Move static libraries to the "static" output.
+              (let* ((out    (assoc-ref outputs "out"))
+                     (lib    (string-append out "/lib"))
+                     (static (assoc-ref outputs "static"))
+                     (slib   (string-append static "/lib")))
+                (mkdir-p slib)
+                (for-each (lambda (file)
+                            (install-file file slib)
+                            (delete-file file))
+                          (find-files lib "\\.a$"))
+                #t)))
+          (add-after 'install 'move-man3-pages
+            (lambda* (#:key outputs #:allow-other-keys)
+              ;; Move section 3 man pages to "doc".
+              (let* ((out    (assoc-ref outputs "out"))
+                     (man3   (string-append out "/share/man/man3"))
+                     (doc    (assoc-ref outputs "doc"))
+                     (target (string-append doc "/share/man/man3")))
+                (mkdir-p target)
+                (for-each (lambda (file)
+                            (rename-file file
+                                         (string-append target "/"
+                                                        (basename file))))
+                          (find-files man3))
+                (delete-file-recursively man3)
+                #t)))
+          (add-after
+           'install 'remove-miscellany
+           (lambda* (#:key outputs #:allow-other-keys)
+             ;; The 'misc' directory contains random undocumented shell and Perl
+             ;; scripts.  Remove them to avoid retaining a reference on Perl.
+             (let ((out (assoc-ref outputs "out")))
+               (delete-file-recursively (string-append out "/share/openssl-"
+                                                       ,version "/misc"))
+               #t)))))))))
+
 (define-public libressl
   (package
     (name "libressl")