Opened 7 years ago
Last modified 6 years ago
#54688 assigned enhancement
nodejs fails to build with libressl
Reported by: | tgyurci (Teubel György) | Owned by: | ci42 |
---|---|---|---|
Priority: | Normal | Milestone: | |
Component: | ports | Version: | |
Keywords: | Cc: | ||
Port: | nodejs4 nodejs6 nodejs8 |
Description
The nodejs ports do not build with LibreSSL, hence LibreSSL cannot be used as a "base" ssl library for other ports when one needs Node.js.
A possible workaround for this would be to add a "bundled_ssl" variant to the nodejs port(s) to use the bundled OpenSSL instead of depending the openssl port.
Change History (11)
comment:1 Changed 7 years ago by mf2k (Frank Schima)
Owner: | set to ci42 |
---|---|
Port: | nodejs4 nodejs5 nodejs6 nodejs7 nodejs8 added; nodejs removed |
Status: | new → assigned |
Type: | request → enhancement |
comment:2 follow-up: 8 Changed 7 years ago by ryandesign (Ryan Carsten Schmidt)
We typically do not want to use bundled versions of third party libraries. Consider what would happen if an openssl vulnerability were found. We would update the openssl port, and every other port that used openssl would thus receive the fix, but nodejs would not, since it would be using its own still-vulnerable copy.
However, I understand your point regarding libressl. If any port that uses openssl is not compatible with libressl, that makes it difficult to continue to use libressl with other ports. This is why I think pretending that libressl is a drop-in replacement for openssl was a mistake, and MacPorts should instead have openssl and libressl install to different locations, not conflict with one another, and all ports that support openssl and libressl should be modified to offer openssl and libressl variants.
comment:4 Changed 7 years ago by jeremyhu (Jeremy Huddleston Sequoia)
Just considering this a dupe of #54744.
Please just stick with libressl and rebuild ports that are dependent on it.
comment:5 Changed 7 years ago by jeremyhu (Jeremy Huddleston Sequoia)
Actually, I was confused. It was mozjs that I had to recently fixup.
comment:6 Changed 7 years ago by jeremyhu (Jeremy Huddleston Sequoia)
Summary: | nodejs variant to build with bundled openssl → nodejs fails to build with libressl |
---|
comment:7 Changed 7 years ago by jeremyhu (Jeremy Huddleston Sequoia)
comment:8 Changed 7 years ago by tgyurci (Teubel György)
Replying to ryandesign:
We typically do not want to use bundled versions of third party libraries. Consider what would happen if an openssl vulnerability were found. We would update the openssl port, and every other port that used openssl would thus receive the fix, but nodejs would not, since it would be using its own still-vulnerable copy.
NodeJS tracks OpenSSL updates. When an OpenSSL security advisory is published, then a corresponding NodeJS security update is released: https://nodejs.org/en/blog/vulnerability/ , so I thought using bundled OpenSSL with it would not be a security threat.
Despite all of this, I undestand that one exception is an exception too.
However, I understand your point regarding libressl. If any port that uses openssl is not compatible with libressl, that makes it difficult to continue to use libressl with other ports. This is why I think pretending that libressl is a drop-in replacement for openssl was a mistake, and MacPorts should instead have openssl and libressl install to different locations, not conflict with one another, and all ports that support openssl and libressl should be modified to offer openssl and libressl variants.
Obviously this would be only a port-specific workaround for a bigger issue.
comment:9 Changed 6 years ago by TP75
How to acknowledge this ticket and the current situation? The a.m. content needs an update itself as this ticket seems to be referred as blocker to LibreSSL in other tickets which I would call quite misleading.
One may look at https://nodejs.org/en/ and you will find just two versions mentioned for macOS (x64):
- 10.13.0 LTS - Recommended For Most Users
- 11.2.0 Current - Latest Features
However, there is also a release 2018-11-20, Version 8.13.0 Carbon (LTS) available. This may be reasonable for legacy ports and older platforms.
This is reflected by the available ports:
- nodejs10 @10.13.0
- nodejs11 @11.2.0
- nodejs8 @8.12.0 (currently outdated due to the short schedule apparently)
IMHO this discussion should resolve on the future migration path and should not become too much of a backlog. I take the liberty in proposing to overcome the outdated ports before nodejs10 and would welcome if we could focus on the two LTS and the current version of NodeJS if possible.
comment:10 Changed 6 years ago by TP75
Replying to tgyurci:
The nodejs ports do not build with LibreSSL, hence LibreSSL cannot be used as a "base" ssl library for other ports when one needs Node.js.
Please be aware there is a port libressl-devel available in MacPorts for some time already. To my knowledge there is a sufficient amount of ports which compile nicely with this version of LibreSSL including the successful install of the current nodejs11 @11.2.0 with libressl-devel @2.8.1 with MacPorts 2.5.4 on macOS 10.12.6 with XCode 9.2 environment.
comment:11 Changed 6 years ago by yan12125 (Chih-Hsuan Yen)
Port: | nodejs5 nodejs7 removed |
---|
nodejs5 and nodejs 7 has been dropped in https://github.com/macports/macports-ports/pull/4113.
In the future, please Cc the port maintainers (
port info --maintainers nodejs4 nodejs5 nodejs6 nodejs7 nodejs8
), if any.Note that a "request" ticket type is only for requesting a new port.