[MacPorts] #54688: nodejs fails to build with libressl
MacPorts
noreply at macports.org
Mon Oct 2 15:51:19 UTC 2017
#54688: nodejs fails to build with libressl
-------------------------------------------------+-------------------------
Reporter: tgyurci | Owner: ci42
Type: enhancement | Status: assigned
Priority: Normal | Milestone:
Component: ports | Version:
Resolution: | Keywords:
Port: nodejs4 nodejs5 nodejs6 nodejs7 |
nodejs8 |
-------------------------------------------------+-------------------------
Comment (by tgyurci):
Replying to [comment:2 ryandesign]:
> We typically do not want to use bundled versions of third party
libraries. Consider what would happen if an openssl vulnerability were
found. We would update the openssl port, and every other port that used
openssl would thus receive the fix, but nodejs would not, since it would
be using its own still-vulnerable copy.
>
NodeJS tracks OpenSSL updates. When an OpenSSL security advisory is
published, then a corresponding NodeJS security update is released:
https://nodejs.org/en/blog/vulnerability/ , so I thought using bundled
OpenSSL with it would not be a security threat.
Despite all of this, I undestand that one exception is an exception too.
> However, I understand your point regarding libressl. If any port that
uses openssl is not compatible with libressl, that makes it difficult to
continue to use libressl with other ports. This is why I think pretending
that libressl is a drop-in replacement for openssl was a mistake, and
MacPorts should instead have openssl and libressl install to different
locations, not conflict with one another, and all ports that support
openssl and libressl should be modified to offer openssl and libressl
variants.
Obviously this would be only a port-specific workaround for a bigger
issue.
--
Ticket URL: <https://trac.macports.org/ticket/54688#comment:8>
MacPorts <https://www.macports.org/>
Ports system for macOS
More information about the macports-tickets
mailing list