Opened 7 years ago

Last modified 6 years ago

#54688 assigned enhancement

nodejs fails to build with libressl

Reported by: tgyurci (Teubel György) Owned by: ci42
Priority: Normal Milestone:
Component: ports Version:
Keywords: Cc:
Port: nodejs4 nodejs6 nodejs8

Description

The nodejs ports do not build with LibreSSL, hence LibreSSL cannot be used as a "base" ssl library for other ports when one needs Node.js.

A possible workaround for this would be to add a "bundled_ssl" variant to the nodejs port(s) to use the bundled OpenSSL instead of depending the openssl port.

Change History (11)

comment:1 Changed 7 years ago by mf2k (Frank Schima)

Owner: set to ci42
Port: nodejs4 nodejs5 nodejs6 nodejs7 nodejs8 added; nodejs removed
Status: newassigned
Type: requestenhancement

In the future, please Cc the port maintainers (port info --maintainers nodejs4 nodejs5 nodejs6 nodejs7 nodejs8), if any.

Note that a "request" ticket type is only for requesting a new port.

comment:2 Changed 7 years ago by ryandesign (Ryan Carsten Schmidt)

We typically do not want to use bundled versions of third party libraries. Consider what would happen if an openssl vulnerability were found. We would update the openssl port, and every other port that used openssl would thus receive the fix, but nodejs would not, since it would be using its own still-vulnerable copy.

However, I understand your point regarding libressl. If any port that uses openssl is not compatible with libressl, that makes it difficult to continue to use libressl with other ports. This is why I think pretending that libressl is a drop-in replacement for openssl was a mistake, and MacPorts should instead have openssl and libressl install to different locations, not conflict with one another, and all ports that support openssl and libressl should be modified to offer openssl and libressl variants.

comment:3 Changed 7 years ago by ryandesign (Ryan Carsten Schmidt)

See #54744

comment:4 Changed 7 years ago by jeremyhu (Jeremy Huddleston Sequoia)

I thought I updated nodejs a while ago to fix their building against libressl.

Last edited 7 years ago by jeremyhu (Jeremy Huddleston Sequoia) (previous) (diff)

comment:5 Changed 7 years ago by jeremyhu (Jeremy Huddleston Sequoia)

Actually, I was confused. It was mozjs that I had to recently fixup.

comment:6 Changed 7 years ago by jeremyhu (Jeremy Huddleston Sequoia)

Summary: nodejs variant to build with bundled opensslnodejs fails to build with libressl

comment:8 in reply to:  2 Changed 7 years ago by tgyurci (Teubel György)

Replying to ryandesign:

We typically do not want to use bundled versions of third party libraries. Consider what would happen if an openssl vulnerability were found. We would update the openssl port, and every other port that used openssl would thus receive the fix, but nodejs would not, since it would be using its own still-vulnerable copy.

NodeJS tracks OpenSSL updates. When an OpenSSL security advisory is published, then a corresponding NodeJS security update is released: https://nodejs.org/en/blog/vulnerability/ , so I thought using bundled OpenSSL with it would not be a security threat.

Despite all of this, I undestand that one exception is an exception too.

However, I understand your point regarding libressl. If any port that uses openssl is not compatible with libressl, that makes it difficult to continue to use libressl with other ports. This is why I think pretending that libressl is a drop-in replacement for openssl was a mistake, and MacPorts should instead have openssl and libressl install to different locations, not conflict with one another, and all ports that support openssl and libressl should be modified to offer openssl and libressl variants.

Obviously this would be only a port-specific workaround for a bigger issue.

comment:9 Changed 6 years ago by TP75

How to acknowledge this ticket and the current situation? The a.m. content needs an update itself as this ticket seems to be referred as blocker to LibreSSL in other tickets which I would call quite misleading.

One may look at https://nodejs.org/en/ and you will find just two versions mentioned for macOS (x64):

  • 10.13.0 LTS - Recommended For Most Users
  • 11.2.0 Current - Latest Features

However, there is also a release 2018-11-20, Version 8.13.0 Carbon (LTS) available. This may be reasonable for legacy ports and older platforms.

This is reflected by the available ports:

  • nodejs10 @10.13.0
  • nodejs11 @11.2.0
  • nodejs8 @8.12.0 (currently outdated due to the short schedule apparently)

IMHO this discussion should resolve on the future migration path and should not become too much of a backlog. I take the liberty in proposing to overcome the outdated ports before nodejs10 and would welcome if we could focus on the two LTS and the current version of NodeJS if possible.

Last edited 6 years ago by TP75 (previous) (diff)

comment:10 Changed 6 years ago by TP75

Replying to tgyurci:

The nodejs ports do not build with LibreSSL, hence LibreSSL cannot be used as a "base" ssl library for other ports when one needs Node.js.

Please be aware there is a port libressl-devel available in MacPorts for some time already. To my knowledge there is a sufficient amount of ports which compile nicely with this version of LibreSSL including the successful install of the current nodejs11 @11.2.0 with libressl-devel @2.8.1 with MacPorts 2.5.4 on macOS 10.12.6 with XCode 9.2 environment.

Last edited 6 years ago by TP75 (previous) (diff)

comment:11 Changed 6 years ago by yan12125 (Chih-Hsuan Yen)

Port: nodejs5 nodejs7 removed

nodejs5 and nodejs 7 has been dropped in https://github.com/macports/macports-ports/pull/4113.

Note: See TracTickets for help on using tickets.