[PC-BSD Pbi-dev] nginx PBI depends on OpenSSL from ports

Ken Moore ken at pcbsd.org
Tue Jan 31 07:22:01 PST 2012


On 01/31/2012 10:06, Ken Moore wrote:
> On 01/30/2012 22:07, Andriy Bakay wrote:
>> Sorry to posting same question again. How can I enforce rebuild of 
>> nginx PBI module with new OpenSSL library?
>>
>> On 2012-01-27, at 20:47 , Andriy Bakay wrote:
>>
>>> Hi All,
>>>
>>> Recently I build nginx PBI package with SSL support and because I 
>>> want to use more recent version of OpenSSL library I build it with 
>>> OpenSSL from ports. In my pbi.conf I have:
>>>
>>> #!/bin/sh
>>> PBI_PROGNAME="nginx"
>>> PBI_PROGWEB="http://sysoev.ru/nginx/"
>>> PBI_PROGAUTHOR="osa at FreeBSD.org"
>>> PBI_PROGICON="nginx.png"PBI_MAKEPORT="www/nginx"
>>> PBI_MKPORTBEFORE=""
>>> PBI_MKPORTAFTER=""
>>> PBI_MAKEOPTS="PACKAGE_BUILDING=Y
>>> WITH_OPENSSL_PORT=yes
>>> WITH_HTTP_GZIP_STATIC_MODULE=true
>>> WITH_HTTP_SSL_MODULE=true
>>> WITH_SYSLOG_SUPPORT=true"PBI_REQUIRESROOT="YES"
>>> export PBI_REQUIRESROOT PBI_MAKEOPTS PBI_PROGNAME PBI_PROGWEB 
>>> PBI_PROGAUTHOR PBI_MKPORTBEFORE PBI_MKPORTAFTER PBI_PROGICON 
>>> PBI_MAKEPORT
>>>
>>> And I put 'WITH_OPENSSL_PORT=yes' variable to '/etc/pbi-make.conf' 
>>> as well. Initially nginx PBI was build with OpenSSL 1.0.0_8, but 
>>> recently OpenSSL was updated to 1.0.0_9 (security fix). I started 
>>> 'pbi_autobuild' utility and OpenSSL update was successfully 
>>> detected. The PBP patch 1.0.0_8 ->  1.0.0_9 was build. But nginx PBI 
>>> package was not rebuild by 'pbi_autobuild' utility. I guess it did 
>>> not notice dependency between nginx and OpenSSL from ports.
>>>
>>> The OpenSSL 1.0.0_9 is a security fix, so it is important to updated 
>>> nginx PBI. How such situation should be handled by PBI process?
>>>
>>> Please advise,
>>> Andriy
>>>
>>> _______________________________________________
>>> Pbi-dev mailing list
>>> Pbi-dev at lists.pcbsd.org
>>> http://lists.pcbsd.org/mailman/listinfo/pbi-dev
>
> I think that "pbi_autobuild" only rebuilds the PBI if there has been a 
> change to the version number of the desired port to be built (in this 
> case nginx, not openssl). You will probably have to manually trigger a 
> rebuild of the PBI by setting [PBI_BUILDKEY="01"; export PBI_BUILDKEY] 
> in your pbi.conf in order for pbi_autobuild to see that you want a new 
> PBI build. You can also set [PBI_PROGREVISION="(something)"; export 
> PBI_PROGREVISION] in pbi.conf in order to change the version number of 
> your PBI (it adds: "_(something)" to the end of the version number- 
> similar to minor port changes).
> Either than that, you will probably have to wait for the port to be 
> updated.
>
> Oh, you will also want to remove the "PACKAGE_BUILDING=Y" from the 
> makeopt line. That will use the FreeBSD package for nginx (which was 
> not updated) rather than building it from scratch with the updates to 
> openssl.
>
> Hope this helps!
>

I just noticed another issue:
There is no "WITH_OPENSSL_PORT" build option within the NGINX port.
 From looking at the makefile there are:
"WITH_HTTP_SSL_MODULE"
"WITH_MAIL_SSL_MODULE"
Both of these will trigger the "NGINX_OPENSSL=yes" option later on in 
the build.
You can also add [PBI_MKPORTAFTER="security/openssl"; export 
PBI_MKPORTAFTER] to pbi.conf and it will include the openssl port within 
the PBI (even if the port does not officially require it).
For additional explanation about the options available within the 
pbi.conf file, please look at the PCBSD wiki page about building PBI 
modules:
http://wiki.pcbsd.org/index.php/PBI_Module_Builder_Guide

-- 
~~ Ken Moore ~~
PC-BSD/iXsystems



More information about the Pbi-dev mailing list