#55264: libressl @2.5.5: update to 2.6.3
-----------------------+----------------------
Reporter: l2dy | Owner: jeremyhu
Type: update | Status: new
Priority: Normal | Milestone:
Component: ports | Version:
Resolution: | Keywords:
Port: libressl |
-----------------------+----------------------

Comment (by janstary):

2.6.4 is out

--
Ticket URL: <https://trac.macports.org/ticket/55264#comment:1>
MacPorts <https://www.macports.org/>
Ports system for macOS

#55264: libressl @2.5.5: update to 2.6.4
-----------------------+----------------------
Reporter: l2dy | Owner: jeremyhu
Type: update | Status: new
Priority: Normal | Milestone:
Component: ports | Version:
Resolution: | Keywords:
Port: libressl |
-----------------------+----------------------

Comment (by ryandesign):

Jeremy, if you're deliberately holding libressl back on version 2.5.x, you
could update libressl-devel to 2.6.4; it's currently at 2.6.2.

--
Ticket URL: <https://trac.macports.org/ticket/55264#comment:2>
MacPorts <https://www.macports.org/>
Ports system for macOS

#55264: libressl @2.5.5: update to 2.6.4
-----------------------+----------------------
Reporter: l2dy | Owner: jeremyhu
Type: update | Status: new
Priority: Normal | Milestone:
Component: ports | Version:
Resolution: | Keywords:
Port: libressl |
-----------------------+----------------------

Comment (by jeremyhu):

Yes, I wanted to hold off on doing any libressl update until we came to a
solution for #54744 because it's always a PITA to revvupgrade-rebuild
everything ;)

--
Ticket URL: <https://trac.macports.org/ticket/55264#comment:3>
MacPorts <https://www.macports.org/>
Ports system for macOS

#55264: libressl @2.5.5: update to 2.6.4
-----------------------+----------------------
Reporter: l2dy | Owner: jeremyhu
Type: update | Status: new
Priority: Normal | Milestone:
Component: ports | Version:
Resolution: | Keywords:
Port: libressl |
-----------------------+----------------------

Comment (by sierkb):

LibreSSL 2.7.1 released March 23rd, 2018.

--
Ticket URL: <https://trac.macports.org/ticket/55264#comment:4>
MacPorts <https://www.macports.org/>
Ports system for macOS

#55264: libressl @2.5.5: update to 2.6.4
-----------------------+----------------------
Reporter: l2dy | Owner: jeremyhu
Type: update | Status: new
Priority: Normal | Milestone:
Component: ports | Version:
Resolution: | Keywords:
Port: libressl |
-----------------------+----------------------

Comment (by jeremyhu):

Yep, and we still don't have a good solution for #54744, and unfortunately
I don't have much free time on my calendar for a long while... =/

#55264: libressl @2.5.5: update to 2.6.4
-----------------------+----------------------
Reporter: l2dy | Owner: jeremyhu
Type: update | Status: new
Priority: Normal | Milestone:
Component: ports | Version:
Resolution: | Keywords:
Port: libressl |
-----------------------+----------------------

Comment (by janstary):

I don't think https://trac.macports.org/ticket/54744 prevents us from
upgrading LibreSSL.
Reading the release notes since 2.6.2 (which we curently have in libressl-
devel) up to 2.7.2,
there are changes we definitely want to have. Cherrypicking these two:

* Added support for many OpenSSL 1.0.2 and 1.1 APIs, based on observations
of real-world usage in applications.
* Fixed builds macOS 10.11 and older.

I believe we have much better reasons to upgrade than not to upgrade.

#55264: libressl @2.5.5: update to 2.6.4
-----------------------+----------------------
Reporter: l2dy | Owner: jeremyhu
Type: update | Status: new
Priority: Normal | Milestone:
Component: ports | Version:
Resolution: | Keywords:
Port: libressl |
-----------------------+----------------------

Comment (by janstary):

https://github.com/macports/macports-ports/pull/1626

#55264: libressl @2.5.5: update to 2.6.4
-----------------------+----------------------
Reporter: l2dy | Owner: jeremyhu
Type: update | Status: new
Priority: Normal | Milestone:
Component: ports | Version:
Resolution: | Keywords:
Port: libressl |
-----------------------+----------------------

Comment (by jeremyhu):

The reason not to is that the rebuild process is very manual and painful
for users. I think I'm ok bumping the -devel port, but we should keep the
"production" one at its curret state until se solve #54744.

#55264: libressl @2.5.5: update to 2.6.4
-----------------------+----------------------
Reporter: l2dy | Owner: jeremyhu
Type: update | Status: new
Priority: Normal | Milestone:
Component: ports | Version:
Resolution: | Keywords:
Port: libressl |
-----------------------+----------------------

Comment (by janstary):

If we do upgrade, the dependent ports need to be rebuilt, obviously.
But that's imho a very weak reason not to upgrade. There are ports
that can drop their OpenSSl/LibreSSL patch now. Isn't that the issue we
have with LibreSSL in general?

The fact that we have not yet figured out the right way for OpenSSL,
LibreSSL, WolfSSL etc to coexist
in general is not a reason to not upgrade: we are no worse off in that
regard with 2.7.2 than 2.5.5
(or any other version of any of the others, for that matter).

As for the libressl and libressl-devel: LibreSSL itself makes no
distinction between a "stable release"
or a "devel releaae". That's entirely ours (i.e. Jeremy's :-). I undrstand
the desire to have the "bleeding edge" separated,
so that you can install either the latest or the previous (typically). But
our libressl is 2.5.5 and our libressl-devel is 2.6.2;
that is, they are both behind.

(Personaly, I would only have one libressl port; people can test the new
on a PR branch,
as opposed to having a separate port installed.)

#55264: libressl @2.5.5: update to 2.6.4
-----------------------+----------------------
Reporter: l2dy | Owner: jeremyhu
Type: update | Status: new
Priority: Normal | Milestone:
Component: ports | Version:
Resolution: | Keywords:
Port: libressl |
-----------------------+----------------------

Comment (by raimue):

Is the libressl update ABI incompatible? Or what kind of breakage do we
expect?

I do not think solving #54744 first would help much with the update. Even
if openssl and libressl would coexist, and we had +openssl and +libressl
variants in all ports, it would still be required to rev-bump dependents
for ABI incompatible changes.

On ABI incompatible updates, we are usually rev-bumping dependents that
use it by default. If people chose to install a non-default port to
fulfill a dependency, we have no better solution to offer than to live
with the occasional brokenness. If rev-upgrade can detect the
incompatibility by examining the libraries (failing at load, not at
runtime), then it will automatically rebuild the broken ports locally.

#55264: libressl @2.5.5: update to 2.6.4
-----------------------+----------------------
Reporter: l2dy | Owner: jeremyhu
Type: update | Status: new
Priority: Normal | Milestone:
Component: ports | Version:
Resolution: | Keywords:
Port: libressl |
-----------------------+----------------------
distinction between a "stable release"
undrstand the desire to have the "bleeding edge" separated,
But our libressl is 2.5.5 and our libressl-devel is 2.6.2;
LibreSSL makes the distinction, though sometimes only one current release
exists. See
https://web.archive.org/web/20180401065306/http://www.libressl.org/:
{{{
The latest stable release is 2.6.4
The latest development release is 2.7.1
See the releases page for support information.
}}}

#55264: libressl @2.5.5: update to 2.6.4
-----------------------+----------------------
Reporter: l2dy | Owner: jeremyhu
Type: update | Status: new
Priority: Normal | Milestone:
Component: ports | Version:
Resolution: | Keywords:
Port: libressl |
-----------------------+----------------------

Comment (by janstary):

OK, do we agree that figuring out https://trac.macports.org/ticket/54744
is not a prerequisity for bumping libressl?

If so, can we upgrade to 2.7.2 please?

Thanks for the stable/devel correction.
According to the homepage, 2.7.2 is the "stable" one now,
meaning "what is in the latest OpenBSD release"; there is no "devel"
release.
Would it make more sense then to upgrade libressl (as opposed to libressl-
devel)?

Staying with 2.5.5 < 2.7.2, we are really missing out.

#55264: libressl @2.5.5: update to 2.6.4
-----------------------+----------------------
Reporter: l2dy | Owner: jeremyhu
Type: update | Status: new
Priority: Normal | Milestone:
Component: ports | Version:
Resolution: | Keywords:
Port: libressl |
-----------------------+----------------------
have with LibreSSL in general?

No, I don't think anyone feels that patching is a problem. The problem is
that Libressl and OpenSSL are ABI incompatible (heck, OpenSSL is not ABI
compatible with OpenSSL and ditto for Libressl with itself), and we don't
have a good solution in place for installing multiple versions. Combined
with deep dependencies that make rev-upgrade impossible to solve, this
makes changing the ABIs quite problematic.
LibreSSL, WolfSSL etc to coexist
regard with 2.7.2 than 2.5.5
Correct, we're no worse off with 2.7.2 vs 2.5.5 aside from the fact that
everyone using it will go through tremendous pain trying to rev-upgrade.
That's what I want to avoid. I want to make everyone go through that pain
just one more time (when we fix #54744).
distinction between a "stable release"
That's not entirely true (as pointed out above). However, one of the
major reasons for the -devel port has more or less gone away. For the
first few years of its life, Libressl was dropping more and more legacy
APIs between releases, so it made sense to test that out in -devel to
ensure no major problems and address them before moving to the stable
port..
But our libressl is 2.5.5 and our libressl-devel is 2.6.2;
Yes, because those were the versions in place when #54744 was brought up,
so we decided to leave them there while someone worked on a solution to
that problem. However, nobody has solved that yet, and I haven't had any
time to devote to it either =/.
I'm happy to bump libressl-devel since more people opt into the rev-
upgrade pain in using the -devel port.
release.
libressl-devel)?

No, because I want to avoid inflicting rev-upgrade pain on users of the
libressl port.
I agree, and hopefully that encourages some folks to take a look at
#54744, so we can install these ports in parallel and configure which
libssl is used on a per-port basis.

#55264: libressl @2.5.5: update to 2.6.4
-----------------------+----------------------
Reporter: l2dy | Owner: jeremyhu
Type: update | Status: new
Priority: Normal | Milestone:
Component: ports | Version:
Resolution: | Keywords:
Port: libressl |
-----------------------+----------------------

Comment (by janstary):

In [changeset:"07c504279eca3ee7ae8a16f58af13e86d949aae5/macports-ports"
07c504279eca3ee7ae8a16f58af13e86d949aae5/macports-ports] (master):
{{{
#!ConfigurableCommitTicketReference repository="macports-ports"
revision="07c504279eca3ee7ae8a16f58af13e86d949aae5"
libressl-devel: upgrade to 2.7.2

* fixed builds on macOS 10.11 and older.
* adds support for many OpenSSL 1.0.2 and 1.1 APIs,
based on observations of real-world usage in applications.
* extensive corrections, improvements, and additions
to the API documentation, including new public APIs from OpenSSL
that had no pre-existing documentation.

See also https://github.com/macports/macports-ports/pull/1626
for the benefits which are not happening for now,
as we are upgrading libressl-devel, not libressl
See also https://trac.macports.org/ticket/55264

While here, stop blacklisting compilers; that was introduced
for a much older version and doesn't seem to be needed any more
}}}

#55264: libressl @2.5.5: update to 2.6.5
-----------------------+----------------------
Reporter: l2dy | Owner: jeremyhu
Type: update | Status: new
Priority: Normal | Milestone:
Component: ports | Version:
Resolution: | Keywords: security
Port: libressl |
-----------------------+----------------------
Changes (by l2dy):

* keywords: => security


Comment:

https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.6.5-relnotes.txt

#55264: libressl @2.5.5: update to 2.6.5
-----------------------+----------------------
Reporter: l2dy | Owner: jeremyhu
Type: update | Status: new
Priority: Normal | Milestone:
Component: ports | Version:
Resolution: | Keywords: security
Port: libressl |
-----------------------+----------------------

Comment (by l2dy):

Rev-upgrade rebuilding all dependents is painful. But IMHO, holding known
security fixes off for so long is worse.

#55264: libressl @2.5.5: update to 2.6.5
-----------------------+----------------------
Reporter: l2dy | Owner: jeremyhu
Type: update | Status: new
Priority: Normal | Milestone:
Component: ports | Version:
Resolution: | Keywords: security
Port: libressl |
-----------------------+----------------------
known security fixes off for so long is worse.

I fully agree with this sentiment. A library like this is crucial for
security in a lot of areas and really needs to be kept up to date in order
to avoid holes in our systems. At this point, I think holding off on the
upgrade is causing more headache overall than just getting it over with.
It may be quite a long time before anyone agrees on anything in #54744

#55264: libressl @2.5.5: update to 2.6.5
-----------------------+----------------------
Reporter: l2dy | Owner: jeremyhu
Type: update | Status: new
Priority: Normal | Milestone:
Component: ports | Version:
Resolution: | Keywords: security
Port: libressl |
-----------------------+----------------------

Comment (by TP75):

Please be aware there is a port //libressl-devel// available in MacPorts
for some time already. To my knowledge there is a sufficient amount of
ports which compile nicely with ''libressl-devel @2.8.1'' and IMHO one
should give it a try before mainly complaining. Notwithstanding any
security discussions there is always the chance for everybody to provide
some [https://guide.macports.org/#development Portfile development] in
support of the volunteers and maintainers.

One may have a look at https://www.libressl.org/releases.html
- LibreSSL 2.8.2 (October 18th, 2018)
- LibreSSL 2.6.5, 2.7.4 (June 13th, 2018)

Unfortunately, MacPorts current ports are somewhat outdated:
- libressl @2.5.5
- libressl-devel @2.8.1

However, I would like to thank for the good work and providing the
''libressl-devel'' certainly.

#55264: libressl @2.5.5: update to 2.6.5
-----------------------+----------------------
Reporter: l2dy | Owner: jeremyhu
Type: update | Status: new
Priority: Normal | Milestone:
Component: ports | Version:
Resolution: | Keywords: security
Port: libressl |
-----------------------+----------------------
for some time already. To my knowledge there is a sufficient amount of
ports which compile nicely with ''libressl-devel @2.8.1'' and IMHO one
should give it a try before mainly complaining. Notwithstanding any
security discussions there is always the chance for everybody for
[https://guide.macports.org/#project.contributing contributing to
MacPorts] or to provide some [https://guide.macports.org/#development
portfile development] in support of the volunteers and maintainers.

You may find the pull-request ''libressl-devel: update to 2.8.2''
[https://github.com/macports/macports-ports/pull/3056 #3056] as my
contribution.

#55264: libressl @2.5.5: update to 2.6.5
-----------------------+----------------------
Reporter: l2dy | Owner: jeremyhu
Type: update | Status: new
Priority: Normal | Milestone:
Component: ports | Version:
Resolution: | Keywords: security
Port: libressl |
-----------------------+----------------------

Comment (by TP75 <31193257+TP75@
>):

In [changeset:"bd3a5dd988c7d98a48f4ff06ed9e185ce86b2ef1/macports-ports"
bd3a5dd988c7d98a48f4ff06ed9e185ce86b2ef1/macports-ports] (master):
{{{
#!ConfigurableCommitTicketReference repository="macports-ports"
revision="bd3a5dd988c7d98a48f4ff06ed9e185ce86b2ef1"
libressl-devel: update to 2.8.2

Please refer to https://trac.macports.org/ticket/55264#comment:20

One may have a look at ​https://www.libressl.org/releases.html
- LibreSSL 2.8.2 (October 18th, 2018)
- LibreSSL 2.6.5, 2.7.4 (June 13th, 2018)

Unfortunately, MacPorts current ports are somewhat outdated:
- libressl @2.5.5
- libressl-devel @2.8.1

However, I would like to thank the maintainers for the good work and for
providing the libressl-devel port certainly.
}}}