LibreSSL 3.5.0 causes build issues with various packages
Closed this issue · 9 comments
The bump to LibreSSL 3.5.0 has caused many packages to fail to build. A few I've noticed personally include dev-perl/Net-SSLeay, dev-python/m2crypto (and hence net-wireless/crda), dev-qt/qtnetwork, and libevent (can be fixed by building without ssl USE flag, but this isn't really ideal).
The patch files for these packages (and likely others) will need to be updated if support for these packages is desired. Hence it's probably a good idea for most people using this overlay to hold LibreSSL at version 3.4.2 (or older) until the patch files get updated to work with the new 3.5.0.
Just from a brief look at build logs of these packages in particular, it seems that many of the compile-time errors are due to LibreSSL's structs now being written in an 'opaque' style (which is meant to be more compatible with OpenSSL, which does this already).
From the release notes:
- Most structs that were previously defined in the following headers
are now opaque as they are in OpenSSL 1.1:
bio.h, bn.h, comp.h, dh.h, dsa.h, evp.h, hmac.h, ocsp.h, rsa.h,
x509.h, x509v3.h, x509_vfy.h
In the case of packages that can be dropped for newer libressl while are still needed for older libressl perhaps they should be left alone where the user can mask them locally until the newer libressl is stabilized?
How could we set a mask in this configuration? Maybe is it better to do nothing for now, and later drop dev- python/m2crypto from the overlay?
I was actually able to get m2crypto-0.38.0 to build using the following patch:
m2crypto-libressl-0.38.0.patch.txt
The thing to note is the 3.5.0 version check I added on line 165 to exclude OpenSSL 1.1.0 compatibility stuff that seems to work with the new LibreSSL out of the box:
/* Macros for things not defined before 1.1.0 */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050000fL)
This also allows crda to build successfully with it too. However I'm not 100% sure if this is actually all that is required to be a proper fix (e.g. may be other packages that depend on it that could be affected; though crda is the only package i have that depends on m2crypto)
Make sure there are no implicit function declaration warnings, that was what was the issue last time. I haven't had time to update my gentoo lately, but maybe I will be able to join in on the fun soon. :)
net-dns/bind-tools was magically fixed by the 9.16.27 update in the gentoo repo.
@thesamesam Thanks!
The fix for net-dns/unbound is just a version bump for gentoo so I made a PR there.
Edit:
I missed the already open PR...
net-misc/vpn can be fixed by removing a forgotten (?) libressl patch in the gentoo repo.