From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: Re: OpenSSL 1.1.0c security update required
Date: Fri, 9 Dec 2016 20:21:38 -0500
Message-ID: <20161210012138.GA20641@jasmine>
References: <20161111014018.GA19957@jasmine> <87zil5ndtj.fsf@gnu.org>
	<20161115190905.GA1941@jasmine>
	<87fulxxvic.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="ikeVEW9yuYc//A+q"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:42068)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1cFWMJ-0002FS-Ou
	for guix-devel@gnu.org; Fri, 09 Dec 2016 20:21:52 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1cFWMG-0006bm-MB
	for guix-devel@gnu.org; Fri, 09 Dec 2016 20:21:51 -0500
Content-Disposition: inline
In-Reply-To: <87fulxxvic.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Marius Bakke <mbakke@fastmail.com>
Cc: guix-devel@gnu.org


--ikeVEW9yuYc//A+q
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Dec 09, 2016 at 11:11:07AM +0100, Marius Bakke wrote:
> I did this change for openssl@1.1.0 (attached). The 'config(ure)' script
> now takes a -rpath flag which works as advertised.

Thanks for taking this on!

> However by duplicating the 'configure' phase, I discovered that the
> 'version' variable actually gets the inherited value when using
> 'substitute-keyword-arguments', and had to duplicate the
> 'remove-miscellany' phase as well, since it tried deleting a directory
> called '$out/share/openssl-1.0.2j'. Should I file a bug for this, or
> is it something intrinsically unfixable?

I don't know, but the patch looks good enough to me, so can you go ahead
and push it? We can deduplicate the phases later.

> From 2fa175873823afb4b2e05c9ed26772c900a2f5ef Mon Sep 17 00:00:00 2001
> From: Marius Bakke <mbakke@fastmail.com>
> Date: Fri, 9 Dec 2016 09:48:38 +0100
> Subject: [PATCH] gnu: openssl-next: Update to 1.1.0c [fixes
>  CVE-{7053,7054,7055}].
>=20
> * gnu/packages/tls.scm (openssl-next): Update to 1.1.0c.
> [arguments]: Duplicate 'configure' to add rpath flag previously handled by
> now-defunct 'patch-runpath' phase. Duplicate 'remove-miscellany' phase.

[...]

> +           (replace 'configure
>               (lambda* (#:key outputs #:allow-other-keys)
> -               (let ((lib (string-append (assoc-ref outputs "out") "/lib=
")))
> -                 (substitute* "Makefile.shared"
> -                   (("\\$\\$\\{SHAREDCMD\\} \\$\\$\\{SHAREDFLAGS\\}")
> -                    (string-append "$${SHAREDCMD} $${SHAREDFLAGS}"
> -                                   " -Wl,-rpath," lib)))
> +               (let* ((out (assoc-ref outputs "out"))
> +                      (lib (string-append out "/lib")))
> +                 (zero?
> +                  (system* "./config"
> +                           "shared"                   ;build shared libr=
aries
> +                           "--libdir=3Dlib"
> +
> +                           ;; The default for this catch-all directory is
> +                           ;; PREFIX/ssl.  Change that to something more
> +                           ;; conventional.
> +                           (string-append "--openssldir=3D" out
> +                                          "/share/openssl-" ,version)
> +
> +                           (string-append "--prefix=3D" out)
> +
> +                           (string-append "-Wl,-rpath," lib)

This is much clearer than patching the Makefile!

--ikeVEW9yuYc//A+q
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlhLWKIACgkQJkb6MLrK
fwje6xAAus3OiRdnfaCaA7cLYhN1Dd/PIIeM+gf6rUI6YePHuUPAiCjEXcMFxah8
IYL2yBUewqKKpFFDEQdWRZO3aPfDpeWe0gxVLUfX5bF9I/wWF7h13Ov8wywMATcB
YhNZidYhug4daDARL9q3yX3YphW2srMX0BJUjjFyy1UyZhEE71zdodc8IFn9i4K2
EGwOpa0ItmG7ytiQ1g5zrJe0NSkNrmOjdCRb+J+ZiZaCoE445LgCQZGKZcaMygw/
GbYzAqGSvAUsVCa6f+kTxUGN8ncbRSQLLXfqYTTgI4pghNsrxo8Ua2CNIBoIRP5D
+2ElaZJhb7lTVcUTdhIgDjjMivn0qiH0sfa4VgRgI2odV9w7nl6PyudhKB4PgFBa
kMC0a/eSRAw8KXmPGPMuz2yG+y3ScOOx2RUb1B8HzTYceKoqM3qRcJx/VJ/2FXsd
SZlhe5a0hte1cIKdR+9wr56hU/Z41AI10es2XllQAe3AqOZmxNqRpzJHamp65AgA
Qra4s+KVruLtzmvh2zgYLN12CVP/l7AbvcVhGEFHCwF9MzoNtLKAoI14RF+2olvv
XNIUjI+I4OnPd7ZlWwJTOEtfFvFh8IjF6TnseZylEnEHj81MnUfprei4E/0rbxQ3
urJkCPyaq3YSIiQeOmffJU/oTsU9L15eqLak7U4LSR2ubZN7nCs=
=GdB0
-----END PGP SIGNATURE-----

--ikeVEW9yuYc//A+q--