Difference between revisions of "Fink:Policy:system-openssl"

From the Fink Wiki
Jump to navigation Jump to search
 
(15 intermediate revisions by 2 users not shown)
Line 74: Line 74:
 
OS X 10.11 has deprecated the use of a system provided OpenSSL library. While <code>/usr/lib/libcrypto.0.9.8.dylibs</code> and <code>/usr/lib/libssl.0.9.8.dylib</code> were not removed, Apple removed the OpenSSL headers in <code>/usr/include/openssl</code> and other compile-time files. Therefore, it is no longer possible to compile programs that use the system OpenSSL on OS X 10.11. As a result, the <code>system-openssl-dev</code> package is marked as available only on 10.10 and earlier. In order to accommodate this change, packages will need to transition to use Fink's OpenSSL (<code>openssl100-dev</code>/<code>openssl100-shlibs</code> as of Oct 2015) or some other SSL provider (such as GnuTLS via Fink's <code>gnutls28</code>/<code>gnutls28-shlibs</code>). Because binaries of (L)GPL packages that link to OpenSSL cannot be distributed for licensing reasons, a new value for the <code>License:</code> field has been [https://github.com/fink/fink/pull/126 created]. (L)GPL packages can now be marked (as of Fink-0.39.2) as either <code>GPL/OpenSSL</code> or <code> LGPL/OpenSSL</code> so that the original license information is kept, but also note that it links to OpenSSL and therefore keep it out of the binary distribution.
 
OS X 10.11 has deprecated the use of a system provided OpenSSL library. While <code>/usr/lib/libcrypto.0.9.8.dylibs</code> and <code>/usr/lib/libssl.0.9.8.dylib</code> were not removed, Apple removed the OpenSSL headers in <code>/usr/include/openssl</code> and other compile-time files. Therefore, it is no longer possible to compile programs that use the system OpenSSL on OS X 10.11. As a result, the <code>system-openssl-dev</code> package is marked as available only on 10.10 and earlier. In order to accommodate this change, packages will need to transition to use Fink's OpenSSL (<code>openssl100-dev</code>/<code>openssl100-shlibs</code> as of Oct 2015) or some other SSL provider (such as GnuTLS via Fink's <code>gnutls28</code>/<code>gnutls28-shlibs</code>). Because binaries of (L)GPL packages that link to OpenSSL cannot be distributed for licensing reasons, a new value for the <code>License:</code> field has been [https://github.com/fink/fink/pull/126 created]. (L)GPL packages can now be marked (as of Fink-0.39.2) as either <code>GPL/OpenSSL</code> or <code> LGPL/OpenSSL</code> so that the original license information is kept, but also note that it links to OpenSSL and therefore keep it out of the binary distribution.
   
The following table is a list of packages <s>as of October 13, 2015</s><u>pruned as fixed</u> that use <code>system-openssl-dev</code> and need to be updated.
+
The following table is a list of packages <s>as of October 13, 2015</s><u>pruned as fixed</u> that use <code>system-openssl-dev</code> and need to be updated. Packages that are only for distributions up through 10.10 can continue to use system-openssl-dev.
   
 
{| class="wikitable sortable"
 
{| class="wikitable sortable"
Line 80: Line 80:
 
!Package!!License!!Maintainer!!Notes
 
!Package!!License!!Maintainer!!Notes
 
|-
 
|-
 
|postfix*||OSI-Approved||Daniel Johnson||emailed Aug 6
|gnucash2||GPL||Dave Reiser||10.{9,10} only (10.11 fixed, no need to keep dists in sync)
 
|-
 
|gwenhywfar60||LGPL||Dave Reiser
 
|-
 
|irsii||GPL||Daniel Macks||10.9 only (10.10+ fixed, no need to keep 10.9 in sync)
 
|-
 
|libdbusmenu-qt5.2||LGPL||Hanspeter Niederstrasser
 
|-
 
|libkf5kdelibs4support5||GPL||Hanspeter Niederstrasser
 
|-
 
|libofx4||GPL||Dave Reiser
 
|-
 
|libtorrent15||GPL||David Fang
 
|-
 
|libtorrent19||GPL||David Fang
 
|-
 
|mp3diags-*||GPL2||Daniel Johnson
 
|-
 
|openvpn||GPL||Andreas Gockel
 
|-
 
|postfix*||OSI-Approved||Daniel Johnson
 
|-
 
|qtiplot-qt4-*||GPL||Alexandre Vial
 
|-
 
|qwt-qt4-*||LGPL||Alexandre Vial
 
|-
 
|qwt6-qt4-*||LGPL||Daniel Macks
 
|-
 
|swi-prolog||LGPL||Jesse Alama
 
|-
 
|valkyrie*||GPL2+||Daniel Johnson
 
|-
 
|vorbis-tools||GPL||Max Horn
 
|-
 
|xchat||GPL||Max Horn
 
 
|}
 
|}
   

Latest revision as of 20:14, 8 October 2016


Linking Against the System OpenSSL

There is a package in Fink called system-openssl-dev that exists to make it easier to link software against Apple's provided OpenSSL (why?). It creates symlinks in prefix/lib/system-openssl that you can use to override the flags of existing software.

In some cases, you will have to patch your package to point to the system-openssl directory, but most likely, all you will have to do to use system-openssl-dev is to set one or more of the following:

 CPPFLAGS:        -I%p/lib/system-openssl/include
 CFLAGS:          -I%p/lib/system-openssl/include
 CXXFLAGS:        -I%p/lib/system-openssl/include
 
 LDFLAGS:         -L%p/lib/system-openssl/lib
 LIBS:            -L%p/lib/system-openssl/lib
 
 PKG_CONFIG_PATH: %p/lib/system-openssl/lib/pkgconfig

Creating Upgrade Packages

Since the goal is to create packages using OpenSSL that don't have to be in the crypto/ tree, you will probably want to make upgrade packages for the old versions of your SSL packages. If you have a set of packages such as foo and foo-ssl both of which have splitoffs, you will have conflict/upgrade issues if you just make a new foo-ssl dummy package that depends on foo. Instead, the recommended practice is to create a foo-unified package.

Example: Before Unification

foo.info:

 Package: foo
 Depends: %N-shlibs
 Conflicts: foo-ssl
 SplitOff: <<
   Package: %N-shlibs
   Conflicts: foo-ssl-shlibs
 <<

foo-ssl.info:

 Package: foo-ssl
 Depends: %N-shlibs
 Conflicts: foo
 SplitOff: <<
   Package: %N-shlibs
   Conflicts: foo-shlibs
 <<

Example: After Unification

foo-unified.info:

 Package: foo-unified
 Depends: %N-shlibs
 Replaces: foo (<< %v-%r), foo-ssl (<< %v-%r)
 SplitOff: <<
   Package: %N-shlibs
   Replaces: foo-shlibs (<< %v-%r), foo-ssl (<< %v-%r)
 <<
 SplitOff2: <<
   Package: foo
   Depends: %N (= %v-%r)
 <<
 SplitOff3: <<
   Package: foo-shlibs
   Depends: %N-shlibs (= %v-%r)
 <<
 SplitOff4: <<
   Package: foo-ssl
   Depends: %N (= %v-%r)
 <<
 SplitOff5: <<
   Package: foo-ssl-shlibs
   Depends: %N-shlibs (= %v-%r)
 <<

Deprecation of system-openssl-dev

OS X 10.11 has deprecated the use of a system provided OpenSSL library. While /usr/lib/libcrypto.0.9.8.dylibs and /usr/lib/libssl.0.9.8.dylib were not removed, Apple removed the OpenSSL headers in /usr/include/openssl and other compile-time files. Therefore, it is no longer possible to compile programs that use the system OpenSSL on OS X 10.11. As a result, the system-openssl-dev package is marked as available only on 10.10 and earlier. In order to accommodate this change, packages will need to transition to use Fink's OpenSSL (openssl100-dev/openssl100-shlibs as of Oct 2015) or some other SSL provider (such as GnuTLS via Fink's gnutls28/gnutls28-shlibs). Because binaries of (L)GPL packages that link to OpenSSL cannot be distributed for licensing reasons, a new value for the License: field has been created. (L)GPL packages can now be marked (as of Fink-0.39.2) as either GPL/OpenSSL or LGPL/OpenSSL so that the original license information is kept, but also note that it links to OpenSSL and therefore keep it out of the binary distribution.

The following table is a list of packages as of October 13, 2015pruned as fixed that use system-openssl-dev and need to be updated. Packages that are only for distributions up through 10.10 can continue to use system-openssl-dev.

Package License Maintainer Notes
postfix* OSI-Approved Daniel Johnson emailed Aug 6