Difference between revisions of "Fink:Policy:system-openssl"

Latest revision as of 19:14, 8 October 2016

Linking Against the System OpenSSL

There is a package in Fink called system-openssl-dev that exists to make it easier to link software against Apple's provided OpenSSL (why?). It creates symlinks in prefix/lib/system-openssl that you can use to override the flags of existing software.

In some cases, you will have to patch your package to point to the system-openssl directory, but most likely, all you will have to do to use system-openssl-dev is to set one or more of the following:

 CPPFLAGS:        -I%p/lib/system-openssl/include
 CFLAGS:          -I%p/lib/system-openssl/include
 CXXFLAGS:        -I%p/lib/system-openssl/include
 
 LDFLAGS:         -L%p/lib/system-openssl/lib
 LIBS:            -L%p/lib/system-openssl/lib
 
 PKG_CONFIG_PATH: %p/lib/system-openssl/lib/pkgconfig

Creating Upgrade Packages

Since the goal is to create packages using OpenSSL that don't have to be in the crypto/ tree, you will probably want to make upgrade packages for the old versions of your SSL packages. If you have a set of packages such as foo and foo-ssl both of which have splitoffs, you will have conflict/upgrade issues if you just make a new foo-ssl dummy package that depends on foo. Instead, the recommended practice is to create a foo-unified package.

Example: Before Unification

foo.info:

 Package: foo
 Depends: %N-shlibs
 Conflicts: foo-ssl
 SplitOff: <<
   Package: %N-shlibs
   Conflicts: foo-ssl-shlibs
 <<

foo-ssl.info:

 Package: foo-ssl
 Depends: %N-shlibs
 Conflicts: foo
 SplitOff: <<
   Package: %N-shlibs
   Conflicts: foo-shlibs
 <<

Example: After Unification

foo-unified.info:

 Package: foo-unified
 Depends: %N-shlibs
 Replaces: foo (<< %v-%r), foo-ssl (<< %v-%r)
 SplitOff: <<
   Package: %N-shlibs
   Replaces: foo-shlibs (<< %v-%r), foo-ssl (<< %v-%r)
 <<
 SplitOff2: <<
   Package: foo
   Depends: %N (= %v-%r)
 <<
 SplitOff3: <<
   Package: foo-shlibs
   Depends: %N-shlibs (= %v-%r)
 <<
 SplitOff4: <<
   Package: foo-ssl
   Depends: %N (= %v-%r)
 <<
 SplitOff5: <<
   Package: foo-ssl-shlibs
   Depends: %N-shlibs (= %v-%r)
 <<

Deprecation of system-openssl-dev

OS X 10.11 has deprecated the use of a system provided OpenSSL library. While /usr/lib/libcrypto.0.9.8.dylibs and /usr/lib/libssl.0.9.8.dylib were not removed, Apple removed the OpenSSL headers in /usr/include/openssl and other compile-time files. Therefore, it is no longer possible to compile programs that use the system OpenSSL on OS X 10.11. As a result, the system-openssl-dev package is marked as available only on 10.10 and earlier. In order to accommodate this change, packages will need to transition to use Fink's OpenSSL (openssl100-dev/openssl100-shlibs as of Oct 2015) or some other SSL provider (such as GnuTLS via Fink's gnutls28/gnutls28-shlibs). Because binaries of (L)GPL packages that link to OpenSSL cannot be distributed for licensing reasons, a new value for the License: field has been created. (L)GPL packages can now be marked (as of Fink-0.39.2) as either GPL/OpenSSL or LGPL/OpenSSL so that the original license information is kept, but also note that it links to OpenSSL and therefore keep it out of the binary distribution.

The following table is a list of packages ~~as of October 13, 2015~~pruned as fixed that use system-openssl-dev and need to be updated. Packages that are only for distributions up through 10.10 can continue to use system-openssl-dev.

Package	License	Maintainer	Notes
postfix*	OSI-Approved	Daniel Johnson	emailed Aug 6

@@ Line 74: / Line 74: @@
 OS X 10.11 has deprecated the use of a system provided OpenSSL library.  While <code>/usr/lib/libcrypto.0.9.8.dylibs</code> and <code>/usr/lib/libssl.0.9.8.dylib</code> were not removed, Apple removed the OpenSSL headers in <code>/usr/include/openssl</code> and other compile-time files. Therefore, it is no longer possible to compile programs that use the system OpenSSL on OS X 10.11.  As a result, the <code>system-openssl-dev</code> package is marked as available only on 10.10 and earlier. In order to accommodate this change, packages will need to transition to use Fink's OpenSSL (<code>openssl100-dev</code>/<code>openssl100-shlibs</code> as of Oct 2015) or some other SSL provider (such as GnuTLS via Fink's <code>gnutls28</code>/<code>gnutls28-shlibs</code>). Because binaries of (L)GPL packages that link to OpenSSL cannot be distributed for licensing reasons, a new value for the <code>License:</code> field has been [https://github.com/fink/fink/pull/126 created]. (L)GPL packages can now be marked (as of Fink-0.39.2) as either <code>GPL/OpenSSL</code> or <code> LGPL/OpenSSL</code> so that the original license information is kept, but also note that it links to OpenSSL and therefore keep it out of the binary distribution.
-The following table is a list of packages <s>as of October 13, 2015</s><u>pruned as fixed</u> that use <code>system-openssl-dev</code> and need to be updated.
+The following table is a list of packages <s>as of October 13, 2015</s><u>pruned as fixed</u> that use <code>system-openssl-dev</code> and need to be updated. Packages that are only for distributions up through 10.10 can continue to use system-openssl-dev.
 {| class="wikitable sortable"
@@ Line 80: / Line 80: @@
 !Package!!License!!Maintainer!!Notes
 |-
+|postfix*||OSI-Approved||Daniel Johnson||emailed Aug 6
-|gnucash2||GPL||Dave Reiser||10.{9,10} only (10.11 fixed, no need to keep dists in sync)
-|-
-|libkf5kdelibs4support5||GPL||Hanspeter Niederstrasser
-|-
-|mp3diags-*||GPL2||Daniel Johnson
-|-
-|postfix*||OSI-Approved||Daniel Johnson
-|-
-|slang2||Artistic||Max Horn||no dep (neither system-openssl nor fink openssl) but ConfigureParam flags for system-openssl
-|-
-|valkyrie*||GPL2+||Daniel Johnson
-|-
-|vorbis-tools||GPL||Max Horn
 |}