[PC-BSD Pbi-dev] nginx PBI depends on OpenSSL from ports

Andriy Bakay andriy at irbisnet.com
Tue Jan 31 20:27:35 PST 2012


On 2012-01-31, at 10:22 , Ken Moore wrote:

> On 01/31/2012 10:06, Ken Moore wrote:
>> On 01/30/2012 22:07, Andriy Bakay wrote:
>>> Sorry to posting same question again. How can I enforce rebuild of nginx PBI module with new OpenSSL library?
>>> 
>>> On 2012-01-27, at 20:47 , Andriy Bakay wrote:
>>> 
>>>> Hi All,
>>>> 
>>>> Recently I build nginx PBI package with SSL support and because I want to use more recent version of OpenSSL library I build it with OpenSSL from ports. In my pbi.conf I have:
>>>> 
>>>> #!/bin/sh
>>>> PBI_PROGNAME="nginx"
>>>> PBI_PROGWEB="http://sysoev.ru/nginx/"
>>>> PBI_PROGAUTHOR="osa at FreeBSD.org"
>>>> PBI_PROGICON="nginx.png"PBI_MAKEPORT="www/nginx"
>>>> PBI_MKPORTBEFORE=""
>>>> PBI_MKPORTAFTER=""
>>>> PBI_MAKEOPTS="PACKAGE_BUILDING=Y
>>>> WITH_OPENSSL_PORT=yes
>>>> WITH_HTTP_GZIP_STATIC_MODULE=true
>>>> WITH_HTTP_SSL_MODULE=true
>>>> WITH_SYSLOG_SUPPORT=true"PBI_REQUIRESROOT="YES"
>>>> export PBI_REQUIRESROOT PBI_MAKEOPTS PBI_PROGNAME PBI_PROGWEB PBI_PROGAUTHOR PBI_MKPORTBEFORE PBI_MKPORTAFTER PBI_PROGICON PBI_MAKEPORT
>>>> 
>>>> And I put 'WITH_OPENSSL_PORT=yes' variable to '/etc/pbi-make.conf' as well. Initially nginx PBI was build with OpenSSL 1.0.0_8, but recently OpenSSL was updated to 1.0.0_9 (security fix). I started 'pbi_autobuild' utility and OpenSSL update was successfully detected. The PBP patch 1.0.0_8 ->  1.0.0_9 was build. But nginx PBI package was not rebuild by 'pbi_autobuild' utility. I guess it did not notice dependency between nginx and OpenSSL from ports.
>>>> 
>>>> The OpenSSL 1.0.0_9 is a security fix, so it is important to updated nginx PBI. How such situation should be handled by PBI process?
>>>> 
>>>> Please advise,
>>>> Andriy
>>>> 
>>>> _______________________________________________
>>>> Pbi-dev mailing list
>>>> Pbi-dev at lists.pcbsd.org
>>>> http://lists.pcbsd.org/mailman/listinfo/pbi-dev
>> 
>> I think that "pbi_autobuild" only rebuilds the PBI if there has been a change to the version number of the desired port to be built (in this case nginx, not openssl). You will probably have to manually trigger a rebuild of the PBI by setting [PBI_BUILDKEY="01"; export PBI_BUILDKEY] in your pbi.conf in order for pbi_autobuild to see that you want a new PBI build. You can also set [PBI_PROGREVISION="(something)"; export PBI_PROGREVISION] in pbi.conf in order to change the version number of your PBI (it adds: "_(something)" to the end of the version number- similar to minor port changes).
>> Either than that, you will probably have to wait for the port to be updated.
>> 
>> Oh, you will also want to remove the "PACKAGE_BUILDING=Y" from the makeopt line. That will use the FreeBSD package for nginx (which was not updated) rather than building it from scratch with the updates to openssl.
>> 
>> Hope this helps!
>> 
> 
> I just noticed another issue:
> There is no "WITH_OPENSSL_PORT" build option within the NGINX port.
> From looking at the makefile there are:
> "WITH_HTTP_SSL_MODULE"
> "WITH_MAIL_SSL_MODULE"
> Both of these will trigger the "NGINX_OPENSSL=yes" option later on in the build.
> You can also add [PBI_MKPORTAFTER="security/openssl"; export PBI_MKPORTAFTER] to pbi.conf and it will include the openssl port within the PBI (even if the port does not officially require it).
> For additional explanation about the options available within the pbi.conf file, please look at the PCBSD wiki page about building PBI modules:
> http://wiki.pcbsd.org/index.php/PBI_Module_Builder_Guide
> 
> -- 
> ~~ Ken Moore ~~
> PC-BSD/iXsystems
> 
> _______________________________________________
> Pbi-dev mailing list
> Pbi-dev at lists.pcbsd.org
> http://lists.pcbsd.org/mailman/listinfo/pbi-dev

The "WITH_OPENSSL_PORT" build option is part of "/usr/ports/Mk/bsd.openssl.mk" standard file. Usually I put it to "/etc/make.conf" and all ports which depends on OpenSSL use OpenSSL from port instead of system one. I thought it would work same way in 'pbi.conf' or in '/etc/pbi-make.conf' as a global setting.

Is it a way to set "WITH_OPENSSL_PORT" build option globally?

Thank you Ken, your information very useful. I will try your suggestions ASAP.



More information about the Pbi-dev mailing list