From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: [PATCH 0/1] OpenSSL 1.1.0 Date: Sat, 3 Sep 2016 22:20:49 -0400 Message-ID: <20160904022049.GA30856@jasmine> References: <87y43albe9.fsf@gnu.org> <20160902201422.GA3701@jasmine> <8737lhm6rk.fsf@gnu.org> <20160903140613.GB12802@jasmine> <87oa45jblg.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="Q68bSM7Ycu6FN28Q" Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:50994) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bgN3T-00086d-S6 for guix-devel@gnu.org; Sat, 03 Sep 2016 22:21:12 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bgN3O-0006Ho-94 for guix-devel@gnu.org; Sat, 03 Sep 2016 22:21:06 -0400 Content-Disposition: inline In-Reply-To: <87oa45jblg.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ludovic =?iso-8859-1?Q?Court=E8s?= Cc: guix-devel@gnu.org --Q68bSM7Ycu6FN28Q Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit On Sat, Sep 03, 2016 at 04:34:51PM +0200, Ludovic Courtès wrote: > Yes, but as long the ‘openssl’ refers to 1.0.x, it doesn’t really matter > than the “openssl” package points to the latest one, no? Use can still > run “guix package -i openssl@1.0” if they want. Oh, right :) I've attached a patch for review. --Q68bSM7Ycu6FN28Q Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="0001-gnu-Add-openssl-next.patch" >From 2e6f500c7876733206e231fd98ebe7419d9b076f Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Fri, 2 Sep 2016 16:07:29 -0400 Subject: [PATCH] gnu: Add openssl-next. * gnu/packages/tls.scm (openssl-next): New variable. * gnu/packages/patches/openssl-1.1.0-c-rehash-in.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. --- gnu/local.mk | 1 + .../patches/openssl-1.1.0-c-rehash-in.patch | 19 ++++ gnu/packages/tls.scm | 110 +++++++++++++++++++++ 3 files changed, 130 insertions(+) create mode 100644 gnu/packages/patches/openssl-1.1.0-c-rehash-in.patch diff --git a/gnu/local.mk b/gnu/local.mk index efb00b9..0c2740d 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -699,6 +699,7 @@ dist_patch_DATA = \ %D%/packages/patches/openjpeg-CVE-2015-6581.patch \ %D%/packages/patches/openjpeg-use-after-free-fix.patch \ %D%/packages/patches/openssl-runpath.patch \ + %D%/packages/patches/openssl-1.1.0-c-rehash-in.patch \ %D%/packages/patches/openssl-c-rehash-in.patch \ %D%/packages/patches/openssl-CVE-2016-2177.patch \ %D%/packages/patches/openssl-CVE-2016-2178.patch \ diff --git a/gnu/packages/patches/openssl-1.1.0-c-rehash-in.patch b/gnu/packages/patches/openssl-1.1.0-c-rehash-in.patch new file mode 100644 index 0000000..e3a982b --- /dev/null +++ b/gnu/packages/patches/openssl-1.1.0-c-rehash-in.patch @@ -0,0 +1,19 @@ +This patch removes the explicit reference to the 'perl' binary, +such that OpenSSL does not retain a reference to Perl. + +The 'c_rehash' program is seldom used, but it is used nonetheless +to create symbolic links to certificates, for instance in the 'nss-certs' +package. + +diff --git a/tools/c_rehash.in b/tools/c_rehash.in +index 2fef627..9d40eae 100644 +--- a/tools/c_rehash.in ++++ b/tools/c_rehash.in +@@ -1,4 +1,6 @@ +-#!{- $config{hashbangperl} -} ++eval '(exit $?0)' && eval 'exec perl -wS "$0" ${1+"$@"}' ++ & eval 'exec perl -wS "$0" $argv:q' ++ if 0; + + # {- join("\n# ", @autowarntext) -} + # Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index 4b87150..040a48a 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -323,6 +323,116 @@ required structures.") (license license:openssl) (home-page "http://www.openssl.org/"))) +(define-public openssl-next + (package + (inherit openssl) + (name "openssl") + (version "1.1.0") + (source (origin + (method url-fetch) + (uri (list (string-append "ftp://ftp.openssl.org/source/" + name "-" version ".tar.gz") + (string-append "ftp://ftp.openssl.org/source/old/" + (string-trim-right version char-set:letter) + "/" name "-" version ".tar.gz"))) + (patches (search-patches "openssl-1.1.0-c-rehash-in.patch")) + (sha256 + (base32 + "10lcpmnxap9nw8ymdglys93cgkwd1lf1rz4fhq5whwhlmkwrzipm")))) + (outputs '("out" + "doc" ;1.3MiB of man3 pages + "static")) ; 5.5MiB of .a files + (arguments + `(#:disallowed-references (,perl) + #:parallel-build? #f + #:parallel-tests? #f + #:test-target "test" + + ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure, + ;; so we explicitly disallow it here. + #:disallowed-references ,(list (canonical-package perl)) + #:phases + (modify-phases %standard-phases + (add-after 'configure 'patch-runpath + (lambda* (#:key outputs #:allow-other-keys) + (let ((lib (string-append (assoc-ref outputs "out") "/lib"))) + (substitute* "Makefile.shared" + (("\\$\\$\\{SHAREDCMD\\} \\$\\$\\{SHAREDFLAGS\\}") + (string-append "$${SHAREDCMD} $${SHAREDFLAGS}" + " -Wl,-rpath," lib))) + #t))) + (replace + 'configure + (lambda* (#:key outputs #:allow-other-keys) + (let ((out (assoc-ref outputs "out"))) + (zero? + (system* "./config" + "shared" ;build shared libraries + "--libdir=lib" + + ;; The default for this catch-all directory is + ;; PREFIX/ssl. Change that to something more + ;; conventional. + (string-append "--openssldir=" out + "/share/openssl-" ,version) + + (string-append "--prefix=" out) + + ;; XXX FIXME: Work around a code generation bug in GCC + ;; 4.9.3 on ARM when compiled with -mfpu=neon. See: + ;; + ,@(if (and (not (%current-target-system)) + (string-prefix? "armhf" (%current-system))) + '("-mfpu=vfpv3") + '())))))) + (add-after + 'install 'make-libraries-writable + (lambda* (#:key outputs #:allow-other-keys) + ;; Make libraries writable so that 'strip' does its job. + (let ((out (assoc-ref outputs "out"))) + (for-each (lambda (file) + (chmod file #o644)) + (find-files (string-append out "/lib") + "\\.so")) + #t))) + (add-after 'install 'move-static-libraries + (lambda* (#:key outputs #:allow-other-keys) + ;; Move static libraries to the "static" output. + (let* ((out (assoc-ref outputs "out")) + (lib (string-append out "/lib")) + (static (assoc-ref outputs "static")) + (slib (string-append static "/lib"))) + (mkdir-p slib) + (for-each (lambda (file) + (install-file file slib) + (delete-file file)) + (find-files lib "\\.a$")) + #t))) + (add-after 'install 'move-man3-pages + (lambda* (#:key outputs #:allow-other-keys) + ;; Move section 3 man pages to "doc". + (let* ((out (assoc-ref outputs "out")) + (man3 (string-append out "/share/man/man3")) + (doc (assoc-ref outputs "doc")) + (target (string-append doc "/share/man/man3"))) + (mkdir-p target) + (for-each (lambda (file) + (rename-file file + (string-append target "/" + (basename file)))) + (find-files man3)) + (delete-file-recursively man3) + #t))) + (add-after + 'install 'remove-miscellany + (lambda* (#:key outputs #:allow-other-keys) + ;; The 'misc' directory contains random undocumented shell and Perl + ;; scripts. Remove them to avoid retaining a reference on Perl. + (let ((out (assoc-ref outputs "out"))) + (delete-file-recursively (string-append out "/share/openssl-" + ,version "/misc")) + #t)))))))) + (define-public libressl (package (name "libressl") -- 2.10.0 --Q68bSM7Ycu6FN28Q--