openssh @7.6p1_4 +ldns: Install fails at openssh configure stage when libressl is installed

[leebast (Lee Bast)]

May be High Sierra specific, but I only have one 10.12 system and no 10.11 or 10.10 systems remaining to verify with. Reproduced on rMBP and Mac Pro 5,1 running macOS 10.13.4, Xcode 9.3 with all software updates applied. With a completely fresh install of MacPorts build fails at the openssh configuration step. However, the build succeeded on a system running 10.12.6.

Steps to reproduce:

1. New install of MacPorts, selfupdate.
2. port install libressl
3. port install openssh +ldns

All dependencies install. Build halts at

--->  Configuring openssh
Error: Failed to configure openssh, consult /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_net_openssh/openssh/work/openssh-7.6p1/config.log
Error: Failed to configure openssh: configure failure: command execution failed

OpenSSH does install successfully with libressl installed but without the ldns variant, or without libressl installed and with the ldns variant.

[mf2k (Frank Schima)]

In the future, please fill in the Port field.

[pmetzger (Perry E. Metzger)]

Assigning to janstary on the basis that he's the person who seems to be most interested in libressl at the moment.

[leebast (Lee Bast)]

Replying to mf2k:

In the future, please fill in the Port field.

Will do. I'm not sure how I missed that beyond it being the end of a long day, my apologies.

[janstary (Jan Starý)]

The libressl port installs LibreSSL 2.5.5, which is a couple of releases ago. Please try the same with libessl-devel, which is currently 2.7.2.

[janstary (Jan Starý)]

On MacOS 10.13.4 with libressl-devel installed (2.7.2), sudo port -vs build openssh -xauth -kerberos5 +ldns builds fine.

[janstary (Jan Starý)]

The offending line from your main.log becomes

checking OpenSSL header version... 20000000 (LibreSSL 2.7.2)
checking OpenSSL library version... 20000000 (LibreSSL 2.7.2)

[janstary (Jan Starý)]

openssh -xauth -kerberos5 +ldns with libressl-devel

[pmetzger (Perry E. Metzger)]

janstary: if the port requires the -devel version, then shouldn't it be made to depend on it, at least for now?

[danielluke (Daniel J. Luke)]

it currently doesn't depend on libressl at all. We should probably change it from path:lib/libssl.dylib:openssl to port:openssl for now. Ideally, we fix libressl & openssl so they can both be installed at the same time and then have ports depend on one or the other (possibly with variants).

[raimue (Rainer Müller)]

Installing openssl and libressl side-by-side is already being tracked in #54744.

[janstary (Jan Starý)]

Perry: both OpenSSH and LibreSSL are OpenBSD projects; of course OpenSSH works with LibreSSL, they are both parts of OpenBSD base install. Understandably, OpenSSH requires a decently recent version of LibreSSL - but we have 2.5.5 in the libressl port. The current relese of LibreSSL is 2.7.3; we have 2.7.2 in the libressl-devel port. So it's not like OpenSSH "requires" libressl-devel, it's that our libressl port is so behind.

[janstary (Jan Starý)]

Daniel: no, we should not change path:lib/libssl.dylib:openssl to port:openssl. That would make it _require_ openssl, while OpenSSH does not require OpenSSL at all. Which would make it impossible for people with libressl* installed to install the openssh port.

[pmetzger (Perry E. Metzger)]

Now that a more up to date LibreSSL-devel is in, what's the status on this?

[janstary (Jan Starý)]

With LibreSSL 2.7.3 installed via libressl-devel, the current openssh port builds fine on MacOS 10.13.4

[janstary (Jan Starý)]

I don't now what else is supposed to happen with this. With the current LibreSSL, as intalled by libressl-devel, it works just fine. With the outdated LibreSSL present in the libressl port, it doesn't. We need to update the libressl port.

[Ionic (Mihai Moldovan)]

libressl port is at 2.8.3, assuming this issue is fixed.