LibreSSL to OpenSSL Migration Status Thread
48 views
Skip to first unread message
Shawn Webb
Jun 27, 2018, 10:17:47 AM6/27/18
to us...@hardenedbsd.org, libres...@hardenedbsd.org
Hey All,
This thread is specifically to keep users appraised of the migration
back to OpenSSL in HardenedBSD base.
As of 27 Jun 2018 1008 EDT, the following actions have been performed:
1. Create libressl-dev@ mailing list to help coordinate efforts to
maintain LibreSSL in HardenedBSD. This mailing list is public and
anyone can join.
2. Archive the package repos and expose them via a new URL. An example
pkg config file is posted below. These repos, being archived, will
not be updated during their lifetimes. They will be removed on 01
Jan 2019.
3. Added Piotr Kubaj as a ports developer. He will help Bernard with
LibreSSL support in ports.
The next steps:
1. Commit a change to base to default MK_LIBRESSL to "no". This will
happen on 01 Jul 2018.
2. Start a new package build for 11-STABLE/amd64. This will happen on
01 Jul 2018.
3. Publish a new 11-STABLE binary update for base. This will happen
shortly before the 11-STABLE/amd64 package repo is finished
building. Estimated day, subject to change: 04 Jul 2018.
4. Start a new package build for 12-CURRENT/amd64. This will happen
after the 11-STABLE/amd64 package build finishes. Expected day,
subject to change: 04 Jul 2018.
5. Publish a new 12-CURRENT/amd64 binary update for base. This will
happen shortly before the 12-CURRENT/amd64 package repo is finished
building. Estimated day, subject to change: 08 Jul 2018.
Example pkg config:
# $FreeBSD$
#
# To disable this repository, instead of modifying or removing this file,
# create a /usr/local/etc/pkg/repos/HardenedBSD.conf file:
#
# mkdir -p /usr/local/etc/pkg/repos
# echo "HardenedBSD: { enabled: no }" > /usr/local/etc/pkg/repos/HardenedBSD.conf
#
HardenedBSD: {
url: "pkg+http://pkgs.hardenedbsd.org/HardenedBSD/pkg/LibreSSL/${ABI}",
mirror_type: "srv",
signature_type: "fingerprints",
fingerprints: "/usr/share/keys/pkg",
enabled: yes
}
--
Shawn Webb
Cofounder and Security Engineer
HardenedBSD
Tor-ified Signal: +1 443-546-8752
Tor+XMPP+OTR: lat...@is.a.hacker.sx
GPG Key ID: 0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE
This thread is specifically to keep users appraised of the migration
back to OpenSSL in HardenedBSD base.
As of 27 Jun 2018 1008 EDT, the following actions have been performed:
1. Create libressl-dev@ mailing list to help coordinate efforts to
maintain LibreSSL in HardenedBSD. This mailing list is public and
anyone can join.
2. Archive the package repos and expose them via a new URL. An example
pkg config file is posted below. These repos, being archived, will
not be updated during their lifetimes. They will be removed on 01
Jan 2019.
3. Added Piotr Kubaj as a ports developer. He will help Bernard with
LibreSSL support in ports.
The next steps:
1. Commit a change to base to default MK_LIBRESSL to "no". This will
happen on 01 Jul 2018.
2. Start a new package build for 11-STABLE/amd64. This will happen on
01 Jul 2018.
3. Publish a new 11-STABLE binary update for base. This will happen
shortly before the 11-STABLE/amd64 package repo is finished
building. Estimated day, subject to change: 04 Jul 2018.
4. Start a new package build for 12-CURRENT/amd64. This will happen
after the 11-STABLE/amd64 package build finishes. Expected day,
subject to change: 04 Jul 2018.
5. Publish a new 12-CURRENT/amd64 binary update for base. This will
happen shortly before the 12-CURRENT/amd64 package repo is finished
building. Estimated day, subject to change: 08 Jul 2018.
Example pkg config:
# $FreeBSD$
#
# To disable this repository, instead of modifying or removing this file,
# create a /usr/local/etc/pkg/repos/HardenedBSD.conf file:
#
# mkdir -p /usr/local/etc/pkg/repos
# echo "HardenedBSD: { enabled: no }" > /usr/local/etc/pkg/repos/HardenedBSD.conf
#
HardenedBSD: {
url: "pkg+http://pkgs.hardenedbsd.org/HardenedBSD/pkg/LibreSSL/${ABI}",
mirror_type: "srv",
signature_type: "fingerprints",
fingerprints: "/usr/share/keys/pkg",
enabled: yes
}
--
Shawn Webb
Cofounder and Security Engineer
HardenedBSD
Tor-ified Signal: +1 443-546-8752
Tor+XMPP+OTR: lat...@is.a.hacker.sx
GPG Key ID: 0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE
Shawn Webb
Jul 1, 2018, 8:01:50 AM7/1/18
to us...@hardenedbsd.org, libres...@hardenedbsd.org
I'm starting a new 11-STABLE/amd64 package build now.
12-CURRENT commits:
1. 94bdc9b13eeffdf63e73d62d23dbdad8f8f89afe
2. a096bef9a874079ab14429b68e11eb99aff43b34
3. 29f5ac15b8ea989e8db6081a08031470bac43917
4. e85007a090d91cddc9c0015e7b5ee4256052d2c4
11-STABLE commits:
1. 1087d59e45072059e2d20ac2dea1801d995c9a2d
2. 9f6b95254911ed6831b588f6ff4216a03fcb7a13
3. c76afb069ef43c2cc586eb4b43b4bbac8de2f3ce
If you update from source instead of with hbsd-update and choose to
update before the package repos are ready, please note that all
packages must be rebuilt and reinstalled locally.
Thanks,
Shawn Webb
Jul 3, 2018, 10:50:30 AM7/3/18
to us...@hardenedbsd.org, libres...@hardenedbsd.org
I'm preparing the system that generates hbsd-update update archives.
When this update is published within the next 15-20 hours, you will
see the following message:
==== BEGIN MESSAGE ====
******************
* IMPORTANT NOTE *
******************
This update switches the base operating system from LibreSSL to
OpenSSL. Special care must be taken when applying this update.
All packages must be reinstalled after this update is applied.
Likewise, if using ports, all installed ports must be rebuilt
and reinstalled.
How to properly reinstall all packages:
1. pkg-static clean -y
2. pkg-static upgrade -f
As usual, if secadm is used, flush the ruleset prior to upgrading
packages.
If you wish to postpone installing this update, please hit Control-C
within the next ten (10) seconds.
==== END MESSAGE ====
I will keep everyone informed when the update is published and when
the package repo is rebuilt.
Please let me know if you have any questions, comments, or concerns.
Shawn Webb
Jul 3, 2018, 7:21:17 PM7/3/18
to us...@hardenedbsd.org, libres...@hardenedbsd.org
just pushed to the stable repo and I have now started building a
binrary update for 11-STABLE/amd64 base. The binary update will take
around five hours to build.
****
IF YOU USE THE PACKAGE REPO: DO NOT UPGRADE BASE UNTIL I GIVE THE
NOTIFICATION THAT THE PACKAGE REPO HAS BEEN SUCCESSFULLY UPDATED.
****
C. L. Martinez
Jul 4, 2018, 7:13:10 AM7/4/18
to Shawn Webb, HardenedBSD, libres...@hardenedbsd.org
Many thanks Shawn. Congratulations for all HardenedBSD dev team.
--
You received this message because you are subscribed to the Google Groups "HardenedBSD Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to users+unsubscribe@hardenedbsd.org.
Shawn Webb
Jul 7, 2018, 8:58:28 AM7/7/18
to us...@hardenedbsd.org, libres...@hardenedbsd.org
package build process for both 12-CURRENT/amd64 and 12-CURRENT/arm64.
The 12-CURRENT/amd64 package build should take around 75 hours. The
12-CURRENT/arm64 package build should take around three weeks.
Shawn Webb
Jul 10, 2018, 5:05:06 PM7/10/18
to us...@hardenedbsd.org, libres...@hardenedbsd.org
maximum of 15 hours from now (though, more likely around five). It may
finish up while I sleep tonight.
I've published a binary update for base.
****
IF YOU USE THE PACKAGE REPO: DO NOT UPGRADE BASE UNTIL I GIVE THE
NOTIFICATION THAT THE PACKAGE REPO HAS BEEN SUCCESSFULLY UPDATED.
****
can now proceed to perform the upgrade. YOU WILL NEED TO REBUILD ALL
PORTS FROM SCRATCH.
Shawn Webb
Jul 27, 2018, 6:59:14 PM7/27/18
to us...@hardenedbsd.org, libres...@hardenedbsd.org
On Wed, Jun 27, 2018 at 10:17:07AM -0400, Shawn Webb wrote:
udpated. A binary update is being built now.
Additionally, this is the first arm64 package build with non-Cross-DSO
CFI support enabled. This not only fully concludes the OpenSSL to
LibreSSL transition, but also brings arm64 to the same level of CFI
support as amd64.
Thanks,
Reply all
Reply to author
Forward
0 new messages