sudo links with openssl, libintl and zlib without declaring a dependency on them

[RobK88]

Upgrading openssl / openssl3 breaks sudo on Lion.

bash-3.2$ port outdated
The following installed ports are outdated:
curl                           7.79.1_0 < 7.79.1_1       
gdal                           3.3.1_1 < 3.3.1_2         
git                            2.33.1_1 < 2.33.1_2       
kerberos5                      1.19.2_0 < 1.19.2_1       
libcaca                        0.99.beta20_0 < 0.99.beta20_1   
libevent                       2.1.12_0 < 2.1.12_1       
libshout2                      2.4.5_0 < 2.4.5_1         
links                          2.25_0 < 2.25_1           
NetSurf                        3.10_0 < 3.10_1           
ntp                            4.2.8p15_0 < 4.2.8p15_1   
openssl                        1.1_4 < 3_0               
opusfile                       0.12_0 < 0.12_1           
p5.28-net-ssleay               1.900.0_3 < 1.900.0_4     
p5.30-net-ssleay               1.900.0_3 < 1.900.0_4     
postgresql13                   13.4_1 < 13.4_2           
python27                       2.7.18_3 < 2.7.18_4       
python37                       3.7.12_0 < 3.7.12_1       
python38                       3.8.12_1 < 3.8.12_2       
python39                       3.9.7_0 < 3.9.7_1         
rsync                          3.2.3_0 < 3.2.3_1         
xar                            1.8.0.452_0 < 1.8.0.452_1   
bash-3.2$ 
bash-3.2$ sudo port upgrade outdated
--->  Computing dependencies for xar
--->  Fetching distfiles for xar
--->  Verifying checksums for xar
--->  Extracting xar
--->  Applying patches to xar
--->  Configuring xar
--->  Building xar                                       
--->  Staging xar into destroot                          
--->  Installing xar @1.8.0.452_1
--->  Cleaning xar
--->  Computing dependencies for xar
--->  Deactivating xar @1.8.0.452_0
--->  Cleaning xar
--->  Activating xar @1.8.0.452_1
--->  Cleaning xar
--->  Computing dependencies for openssl3
--->  Fetching distfiles for openssl3
--->  Attempting to fetch openssl-3.0.0.tar.gz from http://distfiles.macports.org/openssl3
--->  Verifying checksums for openssl3                                               
--->  Extracting openssl3
--->  Configuring openssl3
--->  Building openssl3                                  
--->  Staging openssl3 into destroot                     
--->  Installing openssl3 @3.0.0_2                       
--->  Activating openssl3 @3.0.0_2
--->  Cleaning openssl3
--->  Computing dependencies for openssl
--->  Fetching distfiles for openssl
--->  Verifying checksums for openssl
--->  Extracting openssl
--->  Configuring openssl
--->  Building openssl
--->  Staging openssl into destroot
--->  Installing openssl @3_0
--->  Cleaning openssl
--->  Computing dependencies for openssl
--->  Deactivating openssl @1.1_4
--->  Cleaning openssl
--->  Activating openssl @3_0
--->  Cleaning openssl
--->  Computing dependencies for curl
--->  Fetching distfiles for curl
--->  Verifying checksums for curl
--->  Extracting curl
--->  Applying patches to curl
--->  Configuring curl
Warning: Configuration logfiles contain indications of -Wimplicit-function-declaration; check that features were not accidentally disabled:
  getpass_r: found in curl-7.79.1/config.log
  memrchr: found in curl-7.79.1/config.log
  free: found in curl-7.79.1/config.log
  clock_gettime: found in curl-7.79.1/config.log
  CloseSocket: found in curl-7.79.1/config.log
  closesocket: found in curl-7.79.1/config.log
--->  Building curl
--->  Staging curl into destroot                         
--->  Installing curl @7.79.1_1+ssl                      
--->  Cleaning curl
--->  Computing dependencies for curl
--->  Deactivating curl @7.79.1_0+ssl
--->  Cleaning curl
--->  Activating curl @7.79.1_1+ssl
--->  Cleaning curl
--->  Computing dependencies for postgresql13
--->  Fetching distfiles for postgresql13
--->  Verifying checksums for postgresql13
--->  Extracting postgresql13
--->  Applying patches to postgresql13
--->  Configuring postgresql13
Error: Failed to configure postgresql13: consult /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_release_tarballs_ports_databases_postgresql13/postgresql13/work/postgresql-13.4/config.log
Error: Failed to configure postgresql13: configure failure: command execution failed
Error: See /opt/local/var/macports/logs/_opt_local_var_macports_sources_rsync.macports.org_release_tarballs_ports_databases_postgresql13/postgresql13/main.log for details.
Error: Follow https://guide.macports.org/#project.tickets if you believe there is a bug.
bash-3.2$ 
bash-3.2$ sudo port clean postgresql13
dyld: Library not loaded: /opt/local/lib/libcrypto.1.1.dylib
  Referenced from: /opt/local/bin/sudo
  Reason: image not found
Trace/BPT trap: 5
bash-3.2$
bash-3.2$ /usr/bin/sudo port clean postgresql13
Password:
--->  Cleaning postgresql13

[ryandesign (Ryan Carsten Schmidt)]

You must upgrade the sudo port first.

[ryandesign (Ryan Carsten Schmidt)]

Or rather, we must apparently add an openssl dependency to the sudo port and increase its revision, because evidently sudo uses openssl and we did not know that.

Until we get this ironed out, you can work around it by rebuilding sudo from source:

/usr/bin/sudo port -nst upgrade --force sudo

[ryandesign (Ryan Carsten Schmidt)]

Similarly, sudo links with libintl and zlib without declaring those dependencies.

[Schamschula (Marius Schamschula)]

Indeed! I found the gettext dependency as well. I didn't see the zlib dependency for the sudo binary, but it's needed for sudoreplay.

[Schamschula (Marius Schamschula)]

Update is on its way. However, I first need to get openssh rebuilt before I can commit to GitHub.

[Schamschula (Marius Schamschula)]

See: ​https://github.com/macports/macports-ports/commit/95a4e4169b00916f116ee0afdca586eb6a0e4fdc

[RobK88]

Thanks everyone.

P.S. It also looks like upgrading openssl also breaks qpdf. Looks like there may be an undeclared dependency in the qpdf portfile. According to the website for qpdf "Depending on which crypto providers are enabled, then GnuTLS and OpenSSL may also be required." I will open another ticket. (see ​https://trac.macports.org/ticket/63843#ticket)

Computing dependencies for kerberos5
--->  Fetching distfiles for kerberos5
--->  Verifying checksums for kerberos5
--->  Extracting kerberos5
--->  Applying patches to kerberos5
--->  Configuring kerberos5
Warning: Configuration logfiles contain indications of -Wimplicit-function-declaration; check that features were not accidentally disabled:
  bswap_64: found in krb5-1.19.2/src/config.log
  bswap_16: found in krb5-1.19.2/src/config.log
--->  Building kerberos5
--->  Staging kerberos5 into destroot                    
--->  Installing kerberos5 @1.19.2_1                     
--->  Cleaning kerberos5
--->  Computing dependencies for kerberos5
--->  Deactivating kerberos5 @1.19.2_0
--->  Cleaning kerberos5
--->  Activating kerberos5 @1.19.2_1
--->  Cleaning kerberos5
--->  Updating database of binaries
--->  Scanning binaries for linking errors
--->  Found 62 broken files, matching files to ports     
--->  Found 10 broken ports, determining rebuild order
You can always run 'port rev-upgrade' again to fix errors.
The following ports will be rebuilt:
 python27 @2.7.18
 python37 @3.7.12
 python38 @3.8.12
 sudo @1.9.8p2
 qpdf @10.3.2
 NetSurf @3.10
 rsync @3.2.3
 libevent @2.1.12
 ntp @4.2.8p15
 postgresql13 @13.4
Continue? [Y/n]: Y

[Schamschula (Marius Schamschula)]

qpdf is built against gnutls, not any form of *ssl. However, it does depend on libpsl, which is built using openssl.

[Schamschula (Marius Schamschula)]

I've run otool on all binaries and libraries in qpdf. None link against openssl.

[Schamschula (Marius Schamschula)]

The hazards of building in trace mode: For some reason the qpdf enables both gnutls and openssl at the same time. I never saw that, as only gnutls was declared.

I've split the two forms of TLS into variants. +gnutls is the default: ​https://github.com/macports/macports-ports/commit/a5acf19a3336967214a5ac5cb423ed49c9d7d51f