state of libressl in macports

Mon May 10 23:30:00 UTC 2021

You've summed up the situation nicely.

On May 9, 2021, at 21:18, Kastus Shchuka wrote:

> Macports has ports of both openssl and libressl but they are mutually exclusive as they install overlapping files. Binary precompiled packages are built with openssl, so folks using libressl have to build  ports depending on libssl from source. Not convinient, but still manageable.

Correct, our current situation with openssl and libressl is not optimal, not really what I would like to have. See https://trac.macports.org/ticket/54744. Nobody has volunteered to fix the situation. Anyone is welcome to do so. It would involve coming up with a proposal, discussing it on the macports-dev mailing list and reaching consensus about what should be done, and then doing it.

> Openssl keeps adding new features which are not immediately available in libressl. That affects programs using libssl. Quite often ports require libressl-specific patches just to be able to be built with libressl. Some ports declare explicit dependency on openssl, and if I have libressl installed, I am stuck in this situation, as openssl cannot be installed alongside with libressl.
> 
> The most recent example: 
> 
> port sync && port outdated showed py38-cryptography and py39-cryptography as outdated 
> 
> py38-cryptography              2.9.2_0 < 3.4.7_1
> py39-cryptography              2.9.2_0 < 3.4.7_1         
> 
> Binary packages are built with openssl, so rev-upgrade attempts to rebuild them. It worked with version 2.9.2, but 3.4.7 pulls in rust and cargo. Pre-built rust has to be rev-upgraded because of libssl, and fails to build as it requires openssl, and I have libressl installed, and it conflicts with openssl. This is where I hit the wall.
> 
> I am not using py-cryptography directly, I need py38/39-cryptography as a dependency of ansible. It looks like if I want to continue using ansible on this system and have it managed by macports, I have to give up on libressl and install openssl. Or install ansible outside of macports. I guess there are more ports in such situation.

Often, when someone adds a port to MacPorts that requires openssl or an openssl-compatible library like libressl, they write the dependency as "port:openssl". This prevents libressl from being used. Currently there are a small number of ports in this situation:

$ port echo depends:'port:openssl($|\s)'
calendar-contacts-server
libaes_siv
netdata
netdata-dashboard
ntpsec
ophcrack
rizin
squid4
sslscan
rust
msodbcsql17

Often, this occurs simply because the contributor was not aware of the issue, and switching the dependency to "path:lib/libssl.dylib:openssl" is all that's needed to allow libressl to be used if desired. Rarely, there are specific reasons why libressl is not compatible with a project; in that case, the Portfile should contain a comment line near the "port:openssl" dependency that explains why.

In the case of rust, it declares both a library dependency on path:lib/libssl.dylib:openssl and a build dependency on port:openssl, which seems like nonsense to me:

$ port -v deps rust
Full Name: rust @1.52.1_0
Build Dependencies:   bin:git:git, path:bin/cmake:cmake, port:cctools, port:python39, port:openssl, port:pkgconfig, port:ninja, port:gmake, port:ccache
Library Dependencies: port:libffi, path:lib/libssl.dylib:openssl

It seems like removing the port:openssl build dependency would be the correct thing to do, but I haven't tried to figure out why it's the way it is.

I recommend filing bug reports for any of these ports that do not already indicate in their comments a specific reason for incompatibility with libressl.

> Is macports as a project going to drop support for libressl? (Several linux distros, e.g. gentoo and void, did it recently). 
> It would be nice to have libressl in macports, but if the project does not have resources to support it, would it be better just to state that explicitly? It would prevent unnecessary expectations.

I don't think anyone's expressed any interest in dropping libressl support before. I wasn't aware that any Linux distros had dropped support for it, but I don't know anything else about what Linux distros are doing either. Do you know why they dropped libressl?