[PC-BSD Pbi-dev] nginx PBI depends on OpenSSL from ports

Ken Moore ken at pcbsd.org
Tue Jan 31 07:33:33 PST 2012


On 01/31/2012 10:22, Ken Moore wrote:
> On 01/31/2012 10:06, Ken Moore wrote:
>> On 01/30/2012 22:07, Andriy Bakay wrote:
>>> Sorry to posting same question again. How can I enforce rebuild of 
>>> nginx PBI module with new OpenSSL library?
>>>
>>> On 2012-01-27, at 20:47 , Andriy Bakay wrote:
>>>
>>>> Hi All,
>>>>
>>>> Recently I build nginx PBI package with SSL support and because I 
>>>> want to use more recent version of OpenSSL library I build it with 
>>>> OpenSSL from ports. In my pbi.conf I have:
>>>>
>>>> #!/bin/sh
>>>> PBI_PROGNAME="nginx"
>>>> PBI_PROGWEB="http://sysoev.ru/nginx/"
>>>> PBI_PROGAUTHOR="osa at FreeBSD.org"
>>>> PBI_PROGICON="nginx.png"PBI_MAKEPORT="www/nginx"
>>>> PBI_MKPORTBEFORE=""
>>>> PBI_MKPORTAFTER=""
>>>> PBI_MAKEOPTS="PACKAGE_BUILDING=Y
>>>> WITH_OPENSSL_PORT=yes
>>>> WITH_HTTP_GZIP_STATIC_MODULE=true
>>>> WITH_HTTP_SSL_MODULE=true
>>>> WITH_SYSLOG_SUPPORT=true"PBI_REQUIRESROOT="YES"
>>>> export PBI_REQUIRESROOT PBI_MAKEOPTS PBI_PROGNAME PBI_PROGWEB 
>>>> PBI_PROGAUTHOR PBI_MKPORTBEFORE PBI_MKPORTAFTER PBI_PROGICON 
>>>> PBI_MAKEPORT
>>>>
>>>> And I put 'WITH_OPENSSL_PORT=yes' variable to '/etc/pbi-make.conf' 
>>>> as well. Initially nginx PBI was build with OpenSSL 1.0.0_8, but 
>>>> recently OpenSSL was updated to 1.0.0_9 (security fix). I started 
>>>> 'pbi_autobuild' utility and OpenSSL update was successfully 
>>>> detected. The PBP patch 1.0.0_8 ->  1.0.0_9 was build. But nginx 
>>>> PBI package was not rebuild by 'pbi_autobuild' utility. I guess it 
>>>> did not notice dependency between nginx and OpenSSL from ports.
>>>>
>>>> The OpenSSL 1.0.0_9 is a security fix, so it is important to 
>>>> updated nginx PBI. How such situation should be handled by PBI 
>>>> process?
>>>>
>>>> Please advise,
>>>> Andriy
>>>>
>>>> _______________________________________________
>>>> Pbi-dev mailing list
>>>> Pbi-dev at lists.pcbsd.org
>>>> http://lists.pcbsd.org/mailman/listinfo/pbi-dev
>>
>> I think that "pbi_autobuild" only rebuilds the PBI if there has been 
>> a change to the version number of the desired port to be built (in 
>> this case nginx, not openssl). You will probably have to manually 
>> trigger a rebuild of the PBI by setting [PBI_BUILDKEY="01"; export 
>> PBI_BUILDKEY] in your pbi.conf in order for pbi_autobuild to see that 
>> you want a new PBI build. You can also set 
>> [PBI_PROGREVISION="(something)"; export PBI_PROGREVISION] in pbi.conf 
>> in order to change the version number of your PBI (it adds: 
>> "_(something)" to the end of the version number- similar to minor 
>> port changes).
>> Either than that, you will probably have to wait for the port to be 
>> updated.
>>
>> Oh, you will also want to remove the "PACKAGE_BUILDING=Y" from the 
>> makeopt line. That will use the FreeBSD package for nginx (which was 
>> not updated) rather than building it from scratch with the updates to 
>> openssl.
>>
>> Hope this helps!
>>
>
> I just noticed another issue:
> There is no "WITH_OPENSSL_PORT" build option within the NGINX port.
> From looking at the makefile there are:
> "WITH_HTTP_SSL_MODULE"
> "WITH_MAIL_SSL_MODULE"
> Both of these will trigger the "NGINX_OPENSSL=yes" option later on in 
> the build.
> You can also add [PBI_MKPORTAFTER="security/openssl"; export 
> PBI_MKPORTAFTER] to pbi.conf and it will include the openssl port 
> within the PBI (even if the port does not officially require it).
> For additional explanation about the options available within the 
> pbi.conf file, please look at the PCBSD wiki page about building PBI 
> modules:
> http://wiki.pcbsd.org/index.php/PBI_Module_Builder_Guide
>

I also just changed our module for NGINX to include the changes I just 
mentioned (security/openssl added to the PBI, with_http_ssl_module 
option turned on). Once it rebuilds I will get it pushed to the AppCafe 
as soon as possible.

-- 
~~ Ken Moore ~~
PC-BSD/iXsystems



More information about the Pbi-dev mailing list